ci: disable musl crt-static for Test (Linux x64 musl) job

vite-task PR voidzero-dev/vite-task#344 made `fspy_preload_unix`
(a cdylib) an unconditional build-dep so cargo's artifact resolver
doesn't panic during cross-compile. On musl, building a cdylib
requires dynamically-linked libc; the default is static, so the
build fails with:

    error: cannot produce cdylib for `fspy_preload_unix` as the
    target `x86_64-unknown-linux-musl` does not support these crate
    types

Mirror vite-task's own musl CI: set `-C target-feature=-crt-static`
in `RUSTFLAGS`. vite+ ships as a NAPI module that links musl libc
dynamically, so this matches production.

chore: bump vite-task to 4f14ebe0

chore(deps): bump rustls-webpki to patch RUSTSEC-2026-0098/0099

Two advisories landed against `rustls-webpki 0.103.10`:
- RUSTSEC-2026-0098: URI name constraints were incorrectly accepted
- RUSTSEC-2026-0099: wildcard-name certificates bypassed DNS name
  constraints (similar to CVE-2025-61727)

Both are reachable only after signature verification and require
misissuance to exploit, but `cargo deny check` now fails on them.
`cargo update -p rustls-webpki` moves us to 0.103.12 which contains
the fix.

feat(check): support `--no-error-on-unmatched-pattern` for fmt and li…

…nt (#1354)

## Summary

- In `--fix` mode with file paths, implicitly pass
`--no-error-on-unmatched-pattern` to both oxfmt and oxlint, preventing
errors when all staged files are excluded by ignorePatterns (the
lint-staged use case).
- Expose `--no-error-on-unmatched-pattern` as an explicit CLI flag for
non-fix use cases. Both oxfmt and oxlint support this flag natively.
- Add snap tests covering: unmatched patterns pass in fix mode,
non-lintable files (package.json) pass in fix mode, real lint errors are
not swallowed, and `vp lint package.json` exits non-zero.

Closes #1210

## Test plan

- [x] `pnpm -F vite-plus snap-test-local check-fix-no-error-unmatched` —
verifies implicit/explicit flag behavior
- [x] `pnpm -F vite-plus snap-test-local
check-fix-lint-error-not-swallowed` — verifies real lint errors surface
- [x] `pnpm -F vite-plus snap-test-local lint-unmatched-pattern` —
verifies `vp lint package.json` exits non-zero
- [x] `pnpm -F vite-plus snap-test-local check` — all 25 check snap
tests pass
- [x] `pnpm -F vite-plus snap-test-global command-check-help` — help
output includes new flag

feat(check): pass --no-error-on-unmatched-pattern to oxlint natively

Now that oxlint supports --no-error-on-unmatched-pattern, pass it
directly instead of working around it at the vp check level. Simplify
the lint None branch to match the fmt pattern.

Add snap tests for `vp check --fix package.json` (non-lintable file,
should pass) and `vp lint package.json` (should exit non-zero).

fix(install): reject non-semver package manager versions (#1386)

Strictly validate the resolved version in `download_package_manager`
before it is interpolated into
`$VP_HOME/package_manager/{name}/{version}`.
`AbsolutePath::join` does not normalize `..`, so a version containing
path components could escape the home directory. The check also
covers registry-controlled `latest` lookups.

fixes
[GHSA-33r3-4whc-44c2](GHSA-33r3-4whc-44c2)

feat(deps): upgrade upstream dependencies (#1375)

Automated daily upgrade of upstream dependencies:
- rolldown (latest tag)
- vite (latest tag)
- vitest (latest npm version)
- tsdown (latest npm version)

Build status: success

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Mostly dependency bumps and snapshot updates, but upgrading
`oxlint`/`oxfmt` can subtly change CLI behavior and output (including
lint exit conditions), which may affect CI or user workflows.
> 
> **Overview**
> Upgrades upstream tooling versions (notably `oxfmt` `0.45.0`, `oxlint`
`1.60.0`, and `tsdown` `0.21.8`, plus related lockfile updates) and
aligns `packages/core` peer/bundled versions accordingly.
> 
> Updates CLI snapshot tests to match new outputs/help text (including
the new `--no-error-on-unmatched-pattern` option and updated
lint/no-files messaging) and applies small lint-suppression comments for
generic JSON/YAML/package helpers to satisfy stricter rules.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
8249925. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: MK <fengmk2@gmail.com>

refactor: remove redundant try_exists guard, add debug log

- Remove redundant try_exists check before remove_or_rename_to_old
  since it already handles NotFound
- Log the original remove_file error at debug level before falling
  back to rename

fix(install): filter KeyEventKind on Windows for arrow key navigation

On Windows, crossterm emits both Press and Release events for each
key press. Without filtering for Press-only, arrow keys in the
`vp i` package manager prompt were processed twice per press (move
then move back), making them appear non-functional.

Closes #1361

test(check): use vite.config.ts instead of .oxlintrc.json for lint rules

Replace .oxlintrc.json with vite.config.ts in the
check-fix-lint-error-not-swallowed snap test to match the preferred
configuration style used across other snap tests.