Pin all Graphile v5 RC deps to exact latest versions

[pyramation]

Pin Graphile v5 RC deps to exact latest versions, add missing peer deps

Summary

All graphile/* and graphql/* packages had Graphile v5 RC dependencies using loose caret ranges (e.g., ^5.0.0-rc.3), which allowed pnpm to resolve to newer RC versions that introduced new peer dependency requirements nobody satisfied. This caused cascading "missing peer dependency" warnings downstream (e.g., in constructive-db/sdk/constructive-sdk) and runtime errors from dual-installed singletons like grafast.

Changes:

• Pinned all Graphile RC deps to exact latest compatible versions across all 8 graphile/* packages and 4 graphql/* packages (removed ^ prefixes)
• Bumped versions to latest RCs: postgraphile → 5.0.0-rc.7, graphile-build-pg → 5.0.0-rc.5, grafast → 1.0.0-rc.7, etc.
• Added 4 previously-missing transitive peer deps to graphile-settings: @dataplan/pg, @dataplan/json, tamedevil, grafserv
• Bumped @dataplan/pg in graphile-search-plugin from stale pinned 1.0.0-rc.3 to 1.0.0-rc.5
• Added GRAPHILE.md documenting the pinning strategy and future upgrade process

Updates since first revision

• Also pinned grafast, grafserv, graphile-build, graphile-build-pg, graphile-config, pg-sql2, postgraphile in graphql/test, graphql/query, graphql/server, and graphql/explorer. Initial CI failed with Preset attempted to register version '1.0.0-rc.7' of 'grafast', but version '1.0.0-rc.4' is already registered because these graphql/* packages still had the old ^1.0.0-rc.4 caret ranges, causing a dual install.
• Updated GRAPHILE.md to document the graphql/* packages and the singleton runtime error.

Review & Testing Checklist for Human

• Verify runtime behavior after RC bumps — these are multi-step RC bumps (rc.3→rc.5, rc.4→rc.7) across a tightly coupled ecosystem. pnpm build passes, but API behavior may have changed between RCs. Run pnpm test across the workspace and manually test any graphile-dependent features (schema generation, query execution, explorer UI).
• Check @graphile/simplify-inflection@8.0.0-rc.3 — graphql/server/package.json still has this at 8.0.0-rc.3 (untouched by this PR). Verify it is compatible with the bumped graphile-config@1.0.0-rc.5 and other packages.
• Verify peer deps in peerDependencies sections should be pinned — postgraphile-plugin-pgvector and graphile-search-plugin now have exact postgraphile: "5.0.0-rc.7" in their peerDependencies (not just dependencies). Exact peer deps are unusually restrictive for published packages — consumers must have that exact version. Consider whether these should remain as ranges.
• Test the GraphQL Explorer UI — the lockfile shows ruru bumped from 2.0.0-rc.4 to 2.0.0-rc.6 and ruru-components was replaced by ruru-types. These are transitive changes from bumping grafserv. Manually test the explorer UI to ensure it still works.
• Verify pnpm install in constructive-db — the original issue was peer dep warnings in constructive-db/sdk/constructive-sdk. After publishing these updated packages, re-run to confirm the warnings are resolved.

Notes

• Lockfile churn is expected (3480 insertions, 9659 deletions) due to bumping multiple interdependent packages
• postgraphile-plugin-connection-filter peer dep in graphile-search-plugin still uses ^3.0.0-rc.1 (caret range) — intentionally left as-is since only one RC exists
• Local pnpm build passed successfully after both commits
• CI results for the second commit (fixing graphql/* packages) are pending

---

Link to Devin run: https://app.devin.ai/sessions/5ab94c0bcf5b4643ac6d3c00d5951f36
Requested by: @pyramation

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring