chore(package): replace access-sniff with pa11y and fix security vulnerabilities

[Jerricho93]

Note: This PR should be merged after all upstream dependency PRs are merged and published to npm.

Build toolchain (merge these first):

• chore(package): fix security vulnerabilities in dependencies babel-config#5
• chore(package): fix security vulnerabilities in dependencies generator-helpers#10
• chore(package): fix security vulnerabilities in dependencies videojs-generate-rollup-config#49
• chore(package): fix security vulnerabilities in dependencies videojs-generate-karma-config#48
• chore(package): fix security vulnerabilities in dependencies standard#71
• chore(package): fix security vulnerabilities in dependencies videojs-generator-verify#16

Runtime dependencies (merge after toolchain):

• chore(package): bump rollup to ^2.80.0 to fix DOM clobbering vulnerability vhs-utils#47
• chore(package): bump rollup to ^2.80.0 to fix DOM clobbering vulnerability mux.js#451
• chore(package): bump rollup to ^2.80.0 to fix DOM clobbering vulnerability aes-decrypter#90
• chore(package): bump rollup to ^2.80.0 to fix DOM clobbering vulnerability m3u8-parser#196
• chore(package): bump @xmldom/xmldom to ^0.9.0 and rollup to ^2.80.0 to fix security vulnerabilities mpd-parser#190
• chore(package): fix security vulnerabilities in dependencies videojs-contrib-quality-levels#156
• chore(package): bump underscore to ^1.13.8 and fix difflet git:// URL vtt.js#72
• chore(package): fix security vulnerabilities in dependencies http-streaming#1603

Description

Fix security vulnerabilities and replace deprecated access-sniff with pa11y.

access-sniff pulled in critical/high vulnerabilities through axios, jsdom, and phantomjs-prebuilt. Replaced with pa11y. Also: webpack ^1.15.0 → ^5.106.0 (critical vulns), semver ^5.7.0 → ^7.5.4 (ReDoS), plus an overrides block for remaining transitive vulnerabilities.

Specific Changes proposed

• Remove access-sniff; add pa11y ^9.1.1 + build/test-pa11y.js
• Bump webpack to ^5.106.0; add webpack-cli ^5.1.4; update build:test:webpack script
• Bump semver to ^7.5.4; add overrides block

Requirements Checklist

• Feature implemented / Bug fixed
• Has no DOM changes which impact accessibility
• Has no changes to JSDoc which cause npm run docs:api to error
• Reviewed by Two Core Contributors

[Jerricho93]

@mister-ben I've opened a series of PRs to fix security vulnerabilities across the videojs org dependencies. Before this one can be merged, the upstream PRs listed in the description need to be reviewed, merged, and published to npm first (in roughly that order, since some depend on others).

Once those are all released, I'll update the lockfile here and mark this ready for review.

Would you be able to take a look at those PRs when you get a chance?