Use fetchCargoVendor for wasm-bindgen-cli

[alyssais]

Exposing an overridable cargoHash parameter is problematic because it
will produce silently broken FODs if we change the hashing scheme,
which we are currently doing across the tree because Cargo 1.84.0 has
changed the output of fetchCargoTarball, meaning all hashes have been
invalidated. To avoid this happening in future, we are changing to
the fetchCargoVendor mechanism, which does not depend on
implementation details of Cargo.

The future-proof way to override a package with Cargo dependencies is
to pass a cargoDeps object. This is more verbose, and requires the
caller to have access to the src object for the package. To
compensate for this, I've introduced a buildWasmBindgenCli function
that is nicer to use than wasm-bindgen-cli.overrideAttrs, and I've
also introduced versioned attributes for wasm-bindgen-cli versions
currently in use in Nixpkgs, so that each package that wants to use a
particular version doesn't have to duplicate the src and cargoDeps
definitions for that version.

This is a bit urgent, because we need the transition to be completed by the end of the current staging-next cycle to avoid exposing broken FODs to users.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[pbsds]

--------- Report for 'x86_64-linux' ---------
12 packages built:
lldap pagefind teleport teleport.client teleport_15 teleport_15.client tetrio-plus tpsecore wasm-bindgen-cli wasm-bindgen-cli_0_2_92 wasm-bindgen-cli_0_2_93 wasm-bindgen-cli_0_2_95

[alois31]

Code looks good save for two nits. The new FOD hashes verify. I think the API is reasonable: it avoids the correctness issue of the old one, while not creating significantly more effort for users: using versions that are already in nixpkgs actually becomes easier (and there is slightly less duplication within nixpkgs too), bumps are pretty much the same effort as before (change the version and two hashes), and new out-of-tree users are not that bad either (a couple of lines more boilerplate, but with better discoverability).

[bendlas]

lldap still builds and works. approving on behalf of that