build(deps): apply pending dependabot bumps in one pass

[zacharyr0th]

Applies 9 of the 12 open dependabot bumps in a single verified pass (main is strict-protected, so one PR beats 12 update-branch/CI cycles):

• Root: chalk 5.6.2, ora 9.4.0, commander 15.0.0, inquirer 14.0.2, eslint 10.4.1 + @eslint/js 10.0.1. eslint 10's new preserve-caught-error rule flagged three re-thrown errors; fixed by attaching { cause }.
• Site: react / react-dom / @types/react 19.2.7, typescript 6.0.3, with bun.lock regenerated (site CI installs via bun --frozen-lockfile).
• Actions: pinned SHAs bumped for actions/checkout (v6.0.3) and actions/setup-node (v6.4.0).

Covers #4, #5, #6, #7, #8, #10, #12, #13, #15 — dependabot will auto-close them once this lands.

Deliberately skipped:

• build(deps-dev): bump tailwindcss from 3.4.19 to 4.3.0 in /site #11 tailwindcss 4 — the site uses v3 @tailwind directives, tailwind.config.ts, and tailwindcss-animate; v4 is a CSS-first migration with visual-regression risk, not a bump.
• build(deps-dev): bump eslint from 9.39.4 to 10.4.1 in /site #14 site eslint 10 — eslint-config-next's bundled eslint-plugin-react crashes under eslint 10 (contextOrFilename.getFilename is not a function).

Test plan

• Root: npm run lint clean on eslint 10, npm test 50/50, node bin/cli.js --help / sync --help smoke-tested on commander 15.
• Site: npm run typecheck (TS 6), npm run lint, npm run build all clean locally after bun install.

🤖 Generated with Claude Code

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​react@​19.2.15 ⏵ 19.2.17
	react@​19.2.6 ⏵ 19.2.7
	ora@​9.0.0 ⏵ 9.4.0	+1		+1
	@​eslint/​js@​10.0.1
	commander@​14.0.2 ⏵ 15.0.0	+1
	typescript@​5.9.3 ⏵ 6.0.3	+1		+1
	react-dom@​19.2.6 ⏵ 19.2.7
	eslint@​10.4.1
	inquirer@​13.1.0 ⏵ 14.0.2	+1

View full report