Resolve CVEs and simplify dependency maintenance + FDC3 Workbench version check

[kriswest]

Describe your change

Resolves all known CVEs in the monorepo and consolidates shared devDependencies to the root package.json to simplify future maintenance.

Also corrects the FDC3 Workbench version check to not flag FDC3 2.2 implementation as unsupported.

CVEs Resolved

CVE	Severity	Package	Resolution
GHSA-67mh-4wv8-2f99	Moderate	esbuild ≤0.24.2 (via vitest → vite 5.x)	Upgraded vitest and @vitest/coverage-v8 from ^2.0.0 to ^3.2.4; upgraded vitest-mock-extended from ^2.0.0 to ^3.0.0. Vitest 3.x resolves to vite 6.x which uses esbuild@^0.25.0 (patched).
GHSA-5c6j-r48x-rmvq / GHSA-qj8w-gfj5-8c6v	High	serialize-javascript ≤7.0.4 (via mocha)	Added npm overrides in root package.json to force serialize-javascript@^7.0.5. No mocha version uses a patched range, so an override is the only option without removing mocha.
GHSA-848j-6mx2-7j84	Low (×6)	elliptic (via vite-plugin-node-polyfills → node-stdlib-browser → crypto-browserify)	Removed vite-plugin-node-polyfills from fdc3-workbench. The workbench source doesn't use Node.js crypto APIs; the only polyfills actually needed (Buffer, path) are now provided via targeted buffer and path-browserify packages with vite resolve aliases.

Dependency consolidation

Moved 10 shared devDependencies from 7 workspace packages to the root package.json, eliminating ~60 duplicate declarations:

• @eslint/js, eslint, eslint-config-prettier, globals, typescript, typescript-eslint, rimraf (previously in all 6 packages + testing)
• @types/node, prettier, tsx (previously in 3+ packages)
• vitest, @vitest/coverage-v8, pixelmatch (previously in 5 packages, also resolves npm workspace hoisting issues with @vitest/coverage-v8 transitive deps)

This ensures consistent versions across all workspaces and avoids the npm workspace hoisting failures that were causing missing transitive dependencies (e.g. @ampproject/remapping, ast-v8-to-istanbul, magicast).

Other fixes

• Removed unused vitest-mock-extended and pixelmatch from root package.json (only needed in fdc3-standard and packages/testing respectively)
• Added pixelmatch to packages/testing dependencies (required by quickpickle which doesn't declare it)
• Added type-detect and get-func-name to toolbox/fdc3-conformance dependencies to fix hoisting conflict between chai@4.x (conformance) and chai@5.x (vitest)
• Added Buffer and path browser polyfills to fdc3-workbench to replace the functionality previously provided by vite-plugin-node-polyfills

Verification

• npm audit: 0 vulnerabilities (down from 2 high, 5 moderate, 6 low)
• All 38 test files, 318 tests pass
• fdc3-workbench and fdc3-conformance build successfully

Related Issue

resolves #1672

• this is not the primary change in this PR but was resolved at the same time

Contributor License Agreement

• I acknowledge that a contributor license agreement is required and that I have one in place or will seek to put one in place ASAP.

Review Checklist

• Issue: If a change was made to the FDC3 Standard, was an issue linked above?
• CHANGELOG: Is a CHANGELOG.md entry included?

[netlify]

✅ Deploy Preview for fdc3 ready!

Name	Link
🔨 Latest commit	d59430f
🔍 Latest deploy log	https://app.netlify.com/projects/fdc3/deploys/69dcfebee59e460008b277c0
😎 Deploy Preview	https://deploy-preview-1841.preview-fdc3.finos.org
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[kriswest]

@finos/fdc3-maintainers this PR has us finally achieving zero CVEs on the main packages, fdc3-workbench and website. I've tried to make it easier to maintain this going forward - the next logical step would be to convert fdc3-conformance to vite/esbuild and vitest to further consolidate and simplify.

I'll be using this as the base for the 2.2.2 release branch, which I am working on now.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.61%. Comparing base (70af539) to head (d59430f).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1841      +/-   ##
==========================================
- Coverage   95.68%   95.61%   -0.07%     
==========================================
  Files          69       69              
  Lines        4631     4676      +45     
  Branches      806      721      -85     
==========================================
+ Hits         4431     4471      +40     
- Misses        200      205       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mistryvinay]

LGTM