Update to Decimal 3.0, update dependencies, fix Elixir 1.19 warnings

[jeremyowensboggs]

• Update decimal dependency to ~> 3.0 (no longer backward compat, see below)
• Update other dependencies in mix.lock
• Move preferred_cli_env to def cli (deprecated in Mix 1.19)
• Replace single-quoted charlists with ~c sigil in doctests
• Fix compile-time type checker warning in conversion test

Problem

Decimal 3.x made Decimal.new/1 strict about the number of significant digits it accepts (default max: 28). This causes Number.Delimit.number_to_delimited/2 and Number.Currency.number_to_currency/2 to crash with Decimal.Error when given float-derived strings with more than 28 significant digits (e.g. "0.02053473047423571351409743977530517" — 35 digits, typical of IEEE 754 double-precision float-to-string conversion).

The crash path: number_to_delimited converts a non-integer input to a string via to_string/1, then passes it through Number.Conversion.to_decimal/1, which calls Decimal.new/1 on the raw string.

Fix

Replace Decimal.new(string) with Decimal.parse(string, max_digits: 100) in the BitString implementation of Number.Conversion.to_decimal/1. This is the single chokepoint where arbitrary strings become Decimals in the library. 100 digits provides generous headroom beyond any realistic float-derived input while still bounding the parse.

Since Decimal.parse/2 with the max_digits option is a 3.x-only API, this also narrows the decimal dependency to ~> 3.0. If backwards compatibility with decimal 1.x/2.x is desired, a compile-time check for function_exported?(Decimal, :parse, 2) could be added — happy to make that change if needed.

[pwcsquared]

@danielberkompas There is a moderate vulnerability in the :decimal package fixed in v3.0, so this PR is fairly important to us!

[jeremyowensboggs]

Problem

Decimal 3.x made Decimal.new/1 strict about the number of significant digits it accepts (default max: 28). This causes Number.Delimit.number_to_delimited/2 and Number.Currency.number_to_currency/2 to crash with Decimal.Error when given float-derived strings with more than 28 significant digits (e.g. "0.02053473047423571351409743977530517" — 35 digits, typical of IEEE 754 double-precision float-to-string conversion).

The crash path: number_to_delimited converts a non-integer input to a string via to_string/1, then passes it through Number.Conversion.to_decimal/1, which calls Decimal.new/1 on the raw string.

Fix

Replace Decimal.new(string) with Decimal.parse(string, max_digits: 100) in the BitString implementation of Number.Conversion.to_decimal/1. This is the single chokepoint where arbitrary strings become Decimals in the library. 100 digits provides generous headroom beyond any realistic float-derived input while still bounding the parse.

Since Decimal.parse/2 with the max_digits option is a 3.x-only API, this also narrows the decimal dependency to ~> 3.0. If backwards compatibility with decimal 1.x/2.x is desired, a compile-time check for function_exported?(Decimal, :parse, 2) could be added — happy to make that change if needed.