Pull in jsdom@^23.0.0 for tough-cookie@4.1.3

[JoshuaKGoldberg]

👋 Hi! Coming over from mochajs/mocha#5070, there's a trail in our dependencies that ends with an old version of tough-cookie and starts with our dependency on assetgraph. Bottom-to-top:

• tough-cookie had a security report: GHSA-72xf-g2v4-qvf3 -> CVE-2023-26136 Prototype Pollution vulnerability salesforce/tough-cookie#291 -> tough-cookie@4.1.3
• jsdom: has a dependency on tough-cookie. Update dependencies jsdom/jsdom#3626 bumped it to ^4.1.3; jsdom@23.0.0 included the upgrade
• assetgraph still has a dependency on jsdom@^21.0.0.

Would you accept a PR that bumps jsdom to ^23.0.0?

AssetGraph is very cool by the way. Thanks for working on it! 😄

[papandreou]

Sure, but note that we do releases from the v7 branch, where jsdom is at 16.x and we still support node.js 12. Jsdom tends to be quite aggressive with not supporting older node versions, so we can't really upgrade to ^23 until we release a new major of assetgraph.

[papandreou]

AssetGraph doesn't make use of jsdom's ability to load related assets via HTTP, so the npm audit error is purely cosmetic.