update tracing-subscriber

[spatten]

Overview

There is a vuln in tracing-subscriber that is fixed by upgrading to 0.3.20. This PR does that in the two spots that we use tracing-subscriber in.

FOSSA issue (on FOSSA prod org): https://app.fossa.com/projects/custom%2B1%2Fgithub.com%2Ffossas%2Ffossa-cli/refs/branch/ficus-error-logging/21a531f927a6d6844a1b90e1ecf0f98d641b2137/issues/vulnerability?page=1&count=20&sort=issue_count_desc&grouping=revision&status=active&revisionScanId=88877802

CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-58160

Acceptance criteria

• We use a patched version of tracing-subscriber
• Everything else still works

Testing plan

CI passing should be enough to test this

Risks

Metrics

References

Checklist

• I added tests for this PR's change (or explained in the PR description why tests don't make sense).
• If this PR introduced a user-visible change, I added documentation into docs/.
• If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
• If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
• If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
• If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.

[zlav]

Closing in favor of #1588