chore: workflow and dep vulnerability update (#2577)

In response to a security advisory from github:

- The self-mutation workflow effectively allowed for shell injection via branch name, so it was updated to avoid that
- `npm audit fix` for all packages. This updated vm2 as well as projen. The projen update needed a change to make sure it handled our `.npmrc`. Other than that the projen update itself changed several files but things look good
- In the winglang package, had to add esbuild as an explicit dev dependency. In theory, vitest already handles this, but I noticed all the optional system-specific dependencies of esbuild were removed from the lockfile. Not sure what changed, but adding esbuild explicitly doesn't hurt our dependency closure anyways


*By submitting this pull request, I confirm that my contribution is made under the terms of the [Monada Contribution License](https://docs.winglang.io/terms-and-policies/contribution-license.html)*.

.github/workflows/wingsdk-mutation.yml

@@ -65,8 +65,10 @@ jobs:
           git diff --staged --patch --exit-code > /dev/null || echo "::set-output name=self_mutation_happened::true"
       - name: Push changes
         if: steps.token-check.outputs.HAS_TOKEN == 'true' && steps.self_mutation.outputs.self_mutation_happened
+        env:
+          HEAD_REF: ${{ github.event.pull_request.head.ref }}
         run: |-
           git config user.name "monada-bot[bot]"
           git config user.email "monabot@monada.co"
           git commit -s -m "chore: self mutation"
-          git push origin HEAD:${{ github.event.pull_request.head.ref }}
+          git push origin HEAD:$HEAD_REF

apps/jsii-docgen/.projenrc.ts

@@ -65,4 +65,7 @@ project.addFields({
   volta: rootPackageJson.volta,
 });
 
+// We use of symlinks between several projects but we do not use workspaces
+project.npmrc.addConfig("install-links", "false");
+
 project.synth();