Full dependencies security update, clearing 40 vulnerabilities, half Critical

[hillct]

• All tests pass
• I have run npm run doc

Description

Fully addressing the threat surface exposed by the 40 dependency vulnerabilities present in the outdated dependencies. We were able to cut that number down to 12, by completing dependency updates, (correcting for some breaking changes along the way) and further got it down from 12 to 0 vulnerabilities by outright replacing some of the no longer maintained dependency packages. A wuick summary of the migrations we made:

DevDependencies:
  - Babel 6 → 7 (eliminated 23 critical vulnerabilities)
  - Replaced individual plugins with @babel/preset-env
  - Updated .babelrc to new format with Node 0.12 target
  - ESLint 2 → 9 Created eslint.config.js (v9 requires this format)
  - Migrated from babel-eslint to @babel/eslint-parser
    - mocha@^12.0.0-beta-10 (High) - Upgraded to beta version with fixed transitive deps
  - istanbul → nyc for test coverage
Granted dev dependencies don't pose a production threat, but better for completeness

Removed/Replaced:
  - node-static@0.7.11 (High - Directory Traversal) - Removed and replaced with built-in fs/http modules in test utilities
  - @cypress/request-promise@^5.0.0 (Moderate) and request@2.88.2 (Critical) - Completely replaced with modern HTTP client

Transitive dependencies via request ecosystem:

request-promise-core@1.1.3 - Removed (no longer needed)
form-data@2.3.3 - Removed (vulnerable version)
qs@6.5.5 - Removed (vulnerable version)
tough-cookie@2.5.0 - Removed (vulnerable version)
Upgraded:
  - serialize-javascript@^7.0.5 (High) - Upgraded to fixed version
  - diff@^8.0.4 (Low) - Upgraded to fixed version

New Dependencies Added:
  - node-fetch@2.6.12 - Modern Promise-based HTTP client (Node 6+ compatible)
  - form-data@4.0.5 - Secure version for multipart form data

References

• This patch directly addresses Vulnerability fix request on your dependencies #1274
• Directly addresses Deprecated request and request-promise packages leading to vulnerability in tough-cookie module #1231
• Indirectly addresses Fix on the next release. Remove bluebird and use native promises #1223 though maybe not completely
• Fully addresses Deprecated dependencies: @cypress/request-promise #1167
• Directly addresses Discussion: Refactor/Rewrite/Replace some parts of this library #855