chore(deps): replace serde_yml with serde_norway (#357)

## Motivation

The Security Analysis job (which runs `cargo deny check` whenever
`Cargo.lock` changes) fails on every PR that touches `Cargo.lock`
because `serde_yml v0.0.12` trips
[RUSTSEC-2025-0068](https://rustsec.org/advisories/RUSTSEC-2025-0068):
the crate is unsound (`Serializer.emitter` can segfault), the upstream
project has been archived, and the advisory explicitly states "No safe
upgrade is available". The only fix is to move off `serde_yml`. Example
failure: [run 24874266956 on
#352](https://github.com/voidzero-dev/vite-task/actions/runs/24874266956/job/72827299235?pr=352).

## Summary

- Replace `serde_yml = "0.0.12"` with `serde_norway = "0.9.42"` in the
workspace `Cargo.toml` and in `crates/vite_workspace/Cargo.toml`.
- Update `vite_workspace::load_package_graph` to call
`serde_norway::from_slice` for `pnpm-workspace.yaml`.
- Rename the error variant `Error::SerdeYml { serde_yml_error:
serde_yml::Error }` → `Error::SerdeYaml { serde_yaml_error:
serde_norway::Error }` so the type stays generic over the backing crate.
- Regenerate `Cargo.lock` (adds `serde_norway`, `unsafe-libyaml-norway`;
drops `serde_yml`, `libyaml-safer`, and their exclusive transitive
deps).

## Why `serde_norway` over the other forks

`serde_yml`'s RUSTSEC advisory lists four alternatives; both maintained
`serde_yaml` forks (`serde_norway` and `serde_yaml_ng`) are drop-in
compatible. `serde_norway` is more actively maintained (last release Dec
2024 vs May 2024), dual-licensed MIT/Apache-2.0, and ships its own
`unsafe-libyaml-norway` fork of the C bindings so future advisories
against libyaml can be patched without waiting on upstream.

## Test plan

- [x] `cargo deny check --config <oxc security-action deny.toml>` →
`advisories ok, bans ok, licenses ok, sources ok` (was `unsound:
RUSTSEC-2025-0068` before)
- [x] `cargo test -p vite_workspace` → 79 passed
- [x] `cargo clippy -p vite_workspace --all-targets -- -D warnings` →
clean

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: branchseer

Cargo.lock

@@ -116,7 +116,7 @@ rustc-hash = "2.1.1"
 seccompiler = { git = "https://github.com/rust-vmm/seccompiler", rev = "08587106340b8e3cb361c7561411510039436857" }
 serde = "1.0.219"
 serde_json = "1.0.140"
-serde_yml = "0.0.12"
+serde_norway = "0.9.42"
 sha2 = "0.10.9"
 shared_memory = "0.12.4"
 shell-escape = "0.1.5"

Cargo.toml

@@ -14,7 +14,7 @@ rustc-hash = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 # use `preserve_order` feature to preserve the order of the fields in `package.json`
 serde_json = { workspace = true, features = ["preserve_order"] }
-serde_yml = { workspace = true }
+serde_norway = { workspace = true }
 thiserror = { workspace = true }
 tracing = { workspace = true }
 vec1 = { workspace = true, features = ["smallvec-v1"] }

crates/vite_workspace/Cargo.toml

@@ -43,10 +43,10 @@ pub enum Error {
     },
 
     #[error("Failed to parse YAML file at {file_path:?}")]
-    SerdeYml {
+    SerdeYaml {
         file_path: Arc<AbsolutePath>,
         #[source]
-        serde_yml_error: serde_yml::Error,
+        serde_yaml_error: serde_norway::Error,
     },
 
     #[error(transparent)]

crates/vite_workspace/src/error.rs

@@ -248,10 +248,10 @@ pub fn load_package_graph(
     let mut graph_builder = PackageGraphBuilder::default();
     let workspaces = match &workspace_root.workspace_file {
         WorkspaceFile::PnpmWorkspaceYaml(file_with_path) => {
-            let workspace: PnpmWorkspace = serde_yml::from_slice(file_with_path.content())
-                .map_err(|e| Error::SerdeYml {
+            let workspace: PnpmWorkspace = serde_norway::from_slice(file_with_path.content())
+                .map_err(|e| Error::SerdeYaml {
                     file_path: Arc::clone(file_with_path.path()),
-                    serde_yml_error: e,
+                    serde_yaml_error: e,
                 })?;
             workspace.packages
         }