feat: add update-deps command for cross-repo dependency sync

[pyramation]

Summary

Adds a new makage update-deps command that compares workspace packages from a source repo against dependencies in a target repo, outputting structured JSON to stdout.

makage update-deps --from ../constructive --in ../constructive-db

What it does:

1. Reads pnpm-workspace.yaml in --from repo, discovers all workspace package names + versions
2. Reads all package.json files in --in repo (supports monorepos)
3. Cross-references to find which source packages are used as dependencies in the target
4. Compares versions to detect drift

JSON output includes:

• sourcePackages — all discovered workspace packages (name, version, path)
• matchedPackages — source packages found as deps in the target (with currentVersion, availableVersion, depType, consumer, outdated flag)
• outdatedPackages — subset where version drift was detected
• has_dep_changes — boolean signal for CI

This is intended to replace the grep pnpm-lock.yaml hack in the constructive-hub CI workflow for cross-repo dep syncing. Logs go to stderr; structured JSON goes to stdout so CI can pipe/parse it.

Review & Testing Checklist for Human

• Semver comparison is naive — isOutdated() strips ^~>=< prefixes and does a numeric 3-part comparison. It does NOT handle pre-release versions (1.0.0-beta.1), complex ranges (>=1.0.0 <2.0.0), or || operators. Verify this is acceptable for the version specs actually used across constructive repos, or decide if a proper semver library dependency is warranted.
• Command is read-only despite the name — update-deps reports outdated packages but does not actually run pnpm update. The CI workflow is expected to use the JSON output to decide what to update separately. Confirm this matches your intent.
• Test end-to-end: Install globally (npm i -g from dist) and run makage update-deps --from /path/to/constructive --in /path/to/constructive-db — verify the output includes naked-name packages like graphile-search, pgsql-test, etc. that the old grep-based approach missed.
• Workspace glob pattern depth — pattern normalization (packages/* → packages/*/package.json) only matches one level deep, same as the existing update-workspace command. If any workspace uses packages/** for nested packages, those would be missed.

Notes

• Reuses the same workspace discovery pattern as the existing updateWorkspace.ts command
• 5 new unit tests covering: missing args, matched/outdated detection, up-to-date deps, workspace protocol handling
• All 14 tests pass (9 existing + 5 new)
• Validated against real constructive → constructive-db repos: found 78 source packages, 14 unique matches including naked-name packages

Link to Devin session: https://app.devin.ai/sessions/08781f0838fd4c929bb5ab08052b2b5a
Requested by: @pyramation

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring