Update build-tools used in build-tools

[CraigMacomber]

Description

As part of trying to update to pnpm 11 with its more robust trust policy, I noticed we have several existing trust policy violations in existing lock files which will fail with pnpm 11. To simplify this, I'm updating build tools, so that the versions of packages which need exclusions are the same across different workspaces so the esclusions we already have can be copied instead of introducing new ones (which adds risk and complexity).

This updates build tools used by build tools to match the version used in the root, and moves over some of the required trust poicy exclusions required to use build tools.

Reviewer Guidance

The review process is outlined on this wiki page.

[github-actions]

Hi! Thank you for opening this PR. Want me to review it?

Based on the diff (1429 lines, 6 files), I've queued these reviewers:

• Correctness — logic errors, race conditions, lifecycle issues
• Security — vulnerabilities, secret exposure, injection
• API Compatibility — breaking changes, release tags, type design
• Performance — algorithmic regressions, memory leaks
• Testing — coverage gaps, hollow tests

How this works

• Adjust the reviewer set by ticking/unticking boxes above. Reviewer toggles alone don't trigger anything.

• Tick Start review below to dispatch the review fleet.

• After review finishes, tick Start review again to request another run — it auto-resets after each dispatch.

• This comment updates as new commits land; your reviewer selections are preserved.

• Start review

[Copilot]

Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.

Files not reviewed (1)

• build-tools/pnpm-lock.yaml: Language not supported

[CraigMacomber]

The dependency is not a direct one, and what depends on it pins a specific version. As this is not a regression in this change, and will be picked up by our scanners, I'm considering it out of scope and can be addressed later.

[ChumpChief]

Thank you for taking this on!