Vulnerabilities: Check if we have known vulnerabilities as published in Open Source Vulnerability

[cherriechang]

Tracking issue for:

• [ ] https://github.com/jspsych/jsPsych/security/code-scanning/23

Instructions Code Documentation

### Tasks
- [x] [GHSA-3xgq-45jj-v275](https://osv.dev/vulnerability/GHSA-3xgq-45jj-v275)
- [x] GHSA-952p-6rrq-rcjv
- [x] GHSA-mwcw-c2x4-8c55
- [ ] GHSA-gcx4-mw62-g8wm
- [x] GHSA-g3ch-rx76-35fx
- [x] GHSA-248v-346w-9cwc
- [x] GHSA-34jh-p97f-mpxf
- [ ] GHSA-gmj6-6f8f-6699
- [ ] GHSA-q2x7-8rv6-6q7h

[cherriechang]

• [x] GHSA-3xgq-45jj-v275: Need to update cross-spawn dependency to v7.0.5; requires adding/overriding in package.json since this is a peer dependency; package-lock.json showing it is v7.0.3 right now.
• [x] GHSA-952p-6rrq-rcjv: Not sure it's fixed on micromatch's end. Try v4.0.8 to see if it breaks anything + passes.
• [x] GHSA-mwcw-c2x4-8c55: Fixed in nanoid v3.3.8.
• [ ] GHSA-gcx4-mw62-g8wm: Patch two functions - getRelativeUrlFromDocument, getUrlFromDocument.
• [x] GHSA-g3ch-rx76-35fx: Update vue-template-compiler to v3.
• [ ] GHSA-248v-346w-9cwc: Update certifi to v2024.07.04.
• [ ] GHSA-34jh-p97f-mpxf: Using the Proxy-Authorization header with urllib3's ProxyManager; Disabling HTTP redirects using redirects=False when sending requests; Not using the Proxy-Authorization header.
• [ ] GHSA-gmj6-6f8f-6699: No fix yet; wait for patched version of Jinja
• [ ] GHSA-q2x7-8rv6-6q7h: No fix yet; wait for patched version of Jinja

[cherriechang]

@jodeleeuw Maybe we should figure out how to systematically test whether each fix introduces breaking changes?

[JWMB]

The PR seems stale (last commit Jan 8) - is there anything blocking it?