Update package.json to newer, secure versions

[mehigh]

https://github.com/xwp/site-performance-tracker/security/dependabot

[loganwisniewski]

@mehigh Here are my initial findings:

Regular expression denial of service (https://github.com/xwp/site-performance-tracker/security/dependabot/3):

• [email protected] already has an isolated dependency of [email protected] (not sure why this would be a conflict)
• [email protected] already has an isolated dependency of [email protected] (not sure why this would be a conflict)
• [email protected] is already installed as the latest available version

Uncontrolled Resource Consumption in markdown-it (https://github.com/xwp/site-performance-tracker/security/dependabot/1):

• @wordpress/[email protected] updated to @wordpress/[email protected] (latest) locally still contains the outdated [email protected]

Would should be my approach? I've seen ways to force dependency versions but that doesn't seem like a very stable way to handle these vulnerabilities.

[mehigh]

@loganwisniewski please contribute a PR which updates all of the dependencies to the latest versions.
If there are libraries still relying on a vulnerable version we can create a ticket in their repositories and contribute a fix there, as it happens with the wordpress/scripts.

We don't need to spend a lot of time on this, but at least do our due diligence in at least passing (or contributing too, as it is not too much of an ask for a npm dependency) the information and improving security in the tools we're using.

[kasparsd]

The result of npm audit fix should be enough. The only dependency we're actually using outside of dev-dependencies is:

site-performance-tracker/package.json

Lines 65 to 67 in 6be53c6

	"dependencies": {
	"web-vitals": "^2.1.4"
	}

so we can ignore any dev-dependency related warnings.