update socket.io to 2.5.0 to fix engine.io vulnerability

[vincentfretin]

See 2.5.0 release notes and security advisory at
https://github.com/socketio/socket.io/releases/tag/2.5.0

A new networked-aframe release is not needed, but you need to double check the socket.io version you use in your own projects. On glitch, open the terminal and execute the following:

rm -rf package-lock.json node_modules/*
refresh

and wait a few seconds, it will automatically do the npm install getting the latest versions. (You can open the Logs tab to see that)
Note that on glitch node_modules is a symlink to a volume. If you do rm -rf package-lock.json node_modules (without the star), it won't remove the currently installed packages, and npm install will still use the old socket.io version.

and for client side, in index.html, use

<script src="https://cdnjs.cloudflare.com/ajax/libs/socket.io/2.5.0/socket.io.slim.js"></script>

The naf-project glitch template has been updated.