chore: resolve dev Dependabot alerts

[mk3008]

Summary

• Resolve the open Dependabot dev-environment alerts by updating the affected dev/test dependency graph.
• Update hono to 4.12.21, align workspace vitest packages on 4.1.8, move testcontainers packages to 12.0.1 so tmp resolves to 0.2.7, and update root mssql to remove the old uuid path.
• Align the ztd init generated project Vitest devDependency with the workspace-supported ^4.1.8 version and add a changeset for the scaffold-visible update.

Verification

• pnpm why hono --recursive --depth 8 resolves hono to 4.12.21.
• pnpm why vitest --recursive --depth 2 resolves workspace Vitest usage to 4.1.8.
• pnpm why tmp --recursive --depth 8 resolves tmp to 0.2.7.
• pnpm why uuid --recursive --depth 8 returns no dependency path.
• rg -n -F "^4.0.7" --glob "!node_modules/**" --glob "!tmp/**" returns no matches.
• pnpm --filter @rawsql-ts/ztd-cli exec vitest run tests/init.command.test.ts
• pnpm typecheck
• node ./scripts/release-readiness.js detect --base-sha 8b8cb2282487b06df347c0f5f0280f44f370b8fd --head-sha dfb54d832caf4f18acf37ad6c1d934961b149aae --event-path tmp/pr-event.json
• Pre-commit hook passed for the follow-up commit: staged-file policy, ztd-cli typecheck, ztd-cli test:essential, ztd-cli build, and ztd-cli lint.
• Earlier PR verification also passed: pnpm build, pnpm test, and git diff --check.

Merge Readiness

• No baseline exception requested.
• Baseline exception requested and linked below.

Tracking issue: none
Scoped checks run: pnpm typecheck; pnpm build; pnpm test; git diff --check; ztd-cli test:essential; release-readiness detect; targeted pnpm why checks for hono, vitest, tmp, and uuid
Why full baseline is not required: Not applicable; no baseline exception requested.

Self Review

Self-review workflow: developer-self-review two-cycle consistency review and human acceptance review.
Self-review result: No blockers remain; CodeRabbit's scaffolded Vitest version finding was valid and is fixed with test coverage.
Concept-review workflow: Checked the ztd-cli scaffold boundary for a generated package devDependency-only change plus dependency manifest updates.
Concept-review result: No concept or package-boundary violations found; the scaffold continues to emit a DB-free test command and now emits the patched Vitest line.

CLI Surface Migration

• No migration packet required for this CLI change.
• CLI/user-facing surface change and migration packet completed.

No-migration rationale: The ztd init command surface did not change; generated projects receive the same test setup with an updated compatible Vitest devDependency.
Upgrade note: Not applicable.
Deprecation/removal plan or issue: Not applicable.
Docs/help/examples updated: Not applicable; no command, option, help text, or example workflow changed.
Release/changeset wording: .changeset/fresh-vitest-scaffold.md records the scaffold-visible Vitest alignment for @rawsql-ts/ztd-cli.

Scaffold Contract Proof

• No scaffold contract proof required for this PR.
• Scaffold contract proof completed.

No-proof rationale: Not applicable.
Non-edit assertion: Existing package.json values are still preserved unless missing or scaffold-owned; the change only updates the scaffold default Vitest version inserted by ztd init.
Fail-fast input-contract proof: pnpm --filter @rawsql-ts/ztd-cli exec vitest run tests/init.command.test.ts passed, covering init command package generation paths.
Generated-output viability proof: ztd-cli pre-commit gate passed test:essential, including init/scaffold tests, ztd-cli build, and ztd-cli lint.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates development dependencies across the monorepo workspace: vitest is bumped to ^4.1.8, testcontainers packages are upgraded to ^12.0.1, root toolchain updates include mssql and hono versions, and some manifests reorder dependency entries for consistency.

Changes

Workspace dependency maintenance

Layer / File(s)	Summary
Root workspace toolchain updates package.json	Root package.json updates testcontainers, mssql, and vitest versions, reorders changesets and database-related devDependencies, and bumps hono from 4.12.18 to 4.12.21 in pnpm.overrides.
Vitest version bump across workspace packages packages/advanced-runtime/package.json, packages/core/package.json, packages/ddl-docs-cli/package.json, packages/ddl-docs-vitepress/package.json, packages/executor/package.json, packages/sql-grep-core/package.json, packages/test-evidence-core/package.json, packages/test-evidence-renderer-md/package.json, packages/testkit-core/package.json, packages/testkit-postgres/package.json, packages/testkit-sqlite/package.json	Vitest devDependency updated from ^4.0.7 to ^4.1.8 across all workspace test packages, with @vitest/coverage-v8 also bumped in packages/core and minor reordering of parser tooling entries.
Testcontainers updates and dependency reordering packages/adapters/adapter-node-pg/package.json, packages/transfer/package.json, packages/ztd-cli/package.json	Adapter and CLI packages update @testcontainers/postgresql and testcontainers to ^12.0.1, with ztd-cli also reordering dependencies to surface @rawsql-ts/driver-adapter-core and @rawsql-ts/sql-grep-core earlier in the dependency list.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Hop hop, dependencies rise,
Vitest ^4.1.8 beneath the skies,
Testcontainers march to twelve-oh-one,
Hono and mssql have their fun,
Reorder, bump, and all looks fine—
The workspace blooms with versions aligned! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: resolve dev Dependabot alerts' clearly and concisely summarizes the main change—addressing Dependabot alerts in dev dependencies across the workspace.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description comprehensively covers all required template sections with detailed verification steps, merge readiness confirmation, self-review results, and scaffold contract proof.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-dependabot-dev-alerts

Warning

Review ran into problems

🔥 Problems

Stopped waiting for pipeline failures after 30000ms. One of your pipelines takes longer than our 30000ms fetch window to run, so review may not consider pipeline-failure results for inline comments if any failures occurred after the fetch window. Increase the timeout if you want to wait longer or run a @coderabbit review after the pipeline has finished.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/ddl-docs-cli/package.json`:
- Line 41: The scaffolded Vitest version in the project generator is out of
date: in packages/ztd-cli/src/commands/init.ts the template string that writes
package.json currently pins "vitest": '^4.0.7' — update that template to use
'^4.1.8' (or better, read the workspace version dynamically) so generated
projects match the workspace; locate the code that constructs the scaffolded
package.json (the init command / function that writes the template) and replace
the hardcoded '^4.0.7' with '^4.1.8' or a variable sourced from the workspace.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c76f8b91-2c8d-4b65-93bf-e97beee03205

📥 Commits

Reviewing files that changed from the base of the PR and between 8b8cb22 and fbab6bb.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (15)

• package.json
• packages/adapters/adapter-node-pg/package.json
• packages/advanced-runtime/package.json
• packages/core/package.json
• packages/ddl-docs-cli/package.json
• packages/ddl-docs-vitepress/package.json
• packages/executor/package.json
• packages/sql-grep-core/package.json
• packages/test-evidence-core/package.json
• packages/test-evidence-renderer-md/package.json
• packages/testkit-core/package.json
• packages/testkit-postgres/package.json
• packages/testkit-sqlite/package.json
• packages/transfer/package.json
• packages/ztd-cli/package.json