chore(deps/security): upgrade to latest stable

[AviVahl]

Description of the Change

• Upgrade dependencies to latest stable versions.
• Replace rollup-plugin-node-builtins with rollup-plugin-node-polyfills, as former causes audit failures and latter seems just a bit* more maintained.

Alternate Designs

Consider using dependabot or renovate to automatically open PRs for updates.

Why should this be in core?

To resolve consumer deprecation messages when installing mocha:
warning mocha > yargs-unparser > flat@4.1.0: Fixed a prototype pollution security issue in 4.1.0, please upgrade to ^4.1.1 or ^5.0.1.

To reduce the number of repo audit failures from:
found 51 vulnerabilities (5 low, 2 moderate, 44 high) in 2841 scanned packages
to:
found 3 low severity vulnerabilities in 2629 scanned packages

Benefits

Better deduping for the other packages.

Possible Drawbacks

None that I'm aware.

Applicable issues

closes #4410

[coveralls]

Coverage remained the same at 94.075% when pulling 96c5e87 on AviVahl:upgrade-dependencies into b216fcd on mochajs:master.

[outsideris]

Not sure about the netlify/mocha/deploy-preview check. Tells me:

Netlify failed caused by an opencollective issue.

[outsideris]

OpenCollective had internal server errors for some avatar images. It seems OC fixed the issue.
So, I re-ran netlify build.

[deleonio]

Thanks for this fast PR!!!

Note: There is a breaking change inside! https://github.com/yargs/yargs-unparser/releases/tag/v2.0.0

We need the mocha fix for our https://www.npmjs.com/package/@leanup/cli#dependencies.

[AviVahl]

It's not breaking, as mocha already dropped these node versions.

[boneskull]

need to run this against all browsers...sigh.

[boneskull]

build here

[AviVahl]

@boneskull correct me if I'm wrong, but the failures I'm seeing don't seem to relate to the upgrades. does master pass (for that "all browsers" test)?

[AviVahl]

rebased to current master. squashed into a single commit. regenerated lock file. (lock file diff has a nice de-duping effect)

[AviVahl]

Pushed another commit which reduces the audit failures to:
found 3 low severity vulnerabilities in 2629 scanned packages

[AviVahl]

this does not include worker-pool@6.0.2, as #4465 handles that.

[boneskull]

this now has conflicts

[boneskull]

I think you just need to rebase to get the workerpool update

[AviVahl]

will rebase

[AviVahl]

@boneskull any idea if the flakiness related to the workerpool/parallel test changes?

[boneskull]

yeah failure is related to that, but unsure what's wrong. haven't had it fail before! could be something in the lockfile or the github actions cache... or just windows flake or windows flake on a specific node version (again, which hasn't surfaced).

we need to be certain the failure is unrelated though. I can't view the diff of the lockfile on my phone, maybe you can diff the workerpool subtree with what's in master and assert it's identical. if so, then it's likely unrelated to the changes here

[boneskull]

subtree meaning in the lockfile not on disk

[AviVahl]

I checked the lockfile. both master and the branch have the same version of workerpool (6.0.2). nothing special there.

[AviVahl]

rebased to master again, to see if failure is consistent.

[AviVahl]

Failure did not occur post rebase.

[boneskull]

I hope this is not the start of consistent flake. anyway, ty