Remove serde yaml, update some deps to the latest version.

[takashialpha]

serde_yaml was archived on March 25, 2024 and is no longer maintained,
generating CVE warnings for downstream consumers of this library. This is
a blocker for anyone depending on foundations who runs cargo audit or
similar auditing tools.

• Replace serde_yaml with serde-saphyr, the actively maintained
  successor backed by the saphyr YAML parser
• Drop yaml-merge-keys entirely — serde-saphyr handles YAML merge
  keys (<<:) natively and transparently during deserialization, making
  the explicit merge pass redundant
• Simplify from_yaml_str from a three-step
  parse → Value → merge → deserialize pipeline down to a single
  serde_saphyr::from_str call
• Bump several other workspace dependencies to their latest compatible
  versions (tokio, regex, thiserror, pin-project-lite, etc.)

No behaviour change. YAML merge key semantics are preserved — the
processing is now done inside serde-saphyr rather than as a manual
post-processing step.
Existing test suite passes unchanged. No new tests required as this is
a pure dependency substitution with equivalent semantics.

[TheJokr]

Getting rid of serde-yaml would be nice. I added some commits to retain serde_path_to_error functionality, configure the serialization format, and fix tests (the serialization format changed in some ways that aren't configurable).

I also reverted the dependency bumps to keep the PR focused. There's no need to bump minor versions in a library.

[TheJokr]

Thank you for the contribution!