Dependency currency sweep: use current, actively-supported stable versions (real-world, not training-data defaults)

[schmitthub]

Goal

Audit every dependency and ensure we're on the current, actively-supported, stable release that reflects real upstream state — not a package/version chosen from model training-data familiarity.

Why (the recurring smell)

Surfaced during the dependabot merge sweep (#396–#398, #400 rebase): we're on the charm v1 generation (glamour/lipgloss/bubbletea/bubbles) while the v2 line is mature, and lipgloss is pinned to an untagged pseudo-version (v1.1.1-0.2025..., pulled in by glamour v1.0.0).

The systemic pattern: agents default to packages/versions they "know" from training rather than verifying current upstream reality. Concrete precedent in this repo: earlier work used docker/docker (the legacy/retired import) instead of moby/moby — since corrected. Risk it recurs across the tree.

Dependabot's blind spot

Dependabot bumps within a module path only. It will NOT:

• migrate a retired/renamed module to its successor (docker/docker → moby/moby),
• jump to a newer major at a different import path (/v2, vanity domains like charm.land/...),
• replace a pseudo-version (untagged commit) pin with a clean tag.

Those require a periodic manual audit. go list -m -u all only surfaces within-path updates (clean here) — it does not flag the above.

Scope / method

For every direct dependency:

• Verify upstream is active (not archived/deprecated/renamed).
• Verify the chosen major is current + supported; flag where a newer major exists at a new path.
• Flag pseudo-version (untagged) pins; pin to clean tags where possible.
• Flag deprecated APIs in use.
• Tooling: go list -m -u all + pkg.go.dev / deps.dev upstream status + repo archive/rename check.

Sub-issues

• charm stack v1→v2 migration: glamour + lipgloss + bubbletea + bubbles #403 — charm stack v1→v2 (glamour + lipgloss + bubbletea + bubbles)
• (more as the audit finds them)