Bump vulnerable dev dependencies to patched versions

[parthban-db]

Summary

Bumps the vulnerable development dependencies to their minimal patched versions, resolving 5 of the 7 open Dependabot alerts — including both criticals: vitest and @vitest/* ^3.2.4 → ^3.2.6, turbo 2.8.20 → 2.9.14, and the picomatch override 4.0.3 → 4.0.4. vite and esbuild are intentionally left untouched.

Why

Seven Dependabot security alerts are open against the repository, all in development-scope tooling (none ship in any published @databricks/sdk-* package). Dependabot's automatic security PR (#213) tried to resolve the vitest/esbuild cluster by upgrading vitest to 4.x and vite to 8.x — two major versions. That happens because, without an overrides pin, the only path that pulls patched esbuild@0.28.1 through the dependency tree is a vite major. Those majors are higher risk (potential test-config migration) and, more immediately, target brand-new versions that CI's JFrog db-npm registry blocks under its 7-day "immature package" cooldown policy — so #213 fails every check at jf npm ci before any test runs.

The vulnerabilities do not actually require those majors. Each alert has a much smaller fix whose target version is already well past the 7-day cooldown window, so it installs cleanly in CI: vitest/@vitest/browser/@vitest/coverage-v8 are fixed in 3.2.6 (published 2026-06-01), turbo in 2.9.14 (2026-05-14), and picomatch in 4.0.4 (2026-03-23). This PR applies those minimal bumps directly and leaves vite on 6.x.

The two remaining esbuild alerts (GHSA-gv7w-rqvm-qjhr, high, Deno binary integrity; GHSA-g7r4-m6w7-qqqr, low, dev server on Windows) require esbuild@0.28.1, which has not yet cleared the registry cooldown. They are deferred deliberately: both are dev-build-tool issues that do not affect this repository (no Deno usage; CI runs on Linux), and they can be picked up once 0.28.1 matures past the 7-day window.

What changed

Interface changes

None.

Behavioral changes

None for SDK consumers. Every change is to development and test tooling.

Internal changes

• vitest, @vitest/browser, @vitest/coverage-v8: ^3.2.4 → ^3.2.6 — resolves GHSA-5xrq-8626-4rwp (critical, Vitest UI server arbitrary file read/exec) and GHSA-g8mr-85jm-7xhm (critical, Vitest Browser Mode API RCE).
• turbo: 2.8.20 → 2.9.14 — resolves GHSA-hcf7-66rw-9f5r (medium, login callback CSRF) and GHSA-3qcw-2rhx-2726 (low, local code execution during Yarn Berry detection).
• picomatch override: 4.0.3 → 4.0.4 — resolves GHSA-3v7f-55p6-f55p (medium, method injection in POSIX character classes).
• package-lock.json regenerated to match.

How is this tested?

Ran the full CI suite locally against the bumped versions; all stages pass: build, lint + format:check, typecheck, test (Node.js), test:browser (chromium, 209 tests), and check:licenses.

This PR changes only development and test dependencies and has no consumer-facing effect, so no changelog entry is required.

NO_CHANGELOG=true

This pull request and its description were written by Isaac.