fix: Remove CVE-2022-23539 vulnerability by updating the jsonwebtoken packages

[sw-joelmut]

Addresses #4684
#minor

Description

This PR updates the version of the jsonwebtoken package from 8.x to 9.x to fix the CVE-2022-23539 (https://github.com/microsoft/botbuilder-js/security/dependabot/243) vulnerability.
Along the way, the following vulnerabilities were also fixed in this PR:

• sanitize-html https://github.com/microsoft/botbuilder-js/security/dependabot/345 - CVE-2022-25887
• lodash.pick https://github.com/microsoft/botbuilder-js/security/dependabot/324 - CVE-2020-8203
• node-fetch https://github.com/microsoft/botbuilder-js/security/dependabot/96 - CVE-2022-0235
• trim https://github.com/microsoft/botbuilder-js/security/dependabot/80 - CVE-2020-7753

This PR also improves the browser-functional project and pipeline to work with latest Chrome and Firefox drivers, avoiding using npm dependencies for these, and have a clear way to test them locally.

Specific Changes

• Added lodash.pick internal project that acts as a proxy between vulnerable lodash.pick version and lodash. So it doesn't reintroduce the CVE-2020-8203 vulnerability.
• Removed jsonwebtoken resolution, as it's no longer needed with the new version of botframework-webchat.
• Updated botframework-webchat inside browser-echo-bot from 4.5.0 to 4.16.0 (note: 4.17.0 has node 18 limitation).
• Added browserify, react, and react-dom as devDependencies, since they are required in the webpack server.
• Added sanitize-html resolution to update the version from 2.11 to 2.13. The rest of sanitize-html vulnerabilities (moderate) have been solved after updating botframework-webchat.
• Added use browser drivers step in the browser-functional pipeline to copy the Chrome and Firefox drivers from the current running pipeline machine.
• Nightwatch tests improvements
  • npm geckodriver has been replaced with using the geckodriver.exe directly.
  • chromedriver.exe has been removed to be provided by the user or pipeline step. Mostly to use the latest version or a specific one.
  • Fixed issues with webchat, since it changed from version 4.5 to 4.16, and required DOM element references to be updated.
  • Added validation steps before all tests run, checking if the requirements like "drivers" and "browser" meet the requirements. Otherwise, it shows a message to install them.

Testing

The following images show the browser-functional validations, the tests and pipeline passing.

[coveralls]

Pull Request Test Coverage Report for Build 9799065989

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage decreased (-0.4%) to 84.078%

---

Totals
Change from base Build 9767028772:	-0.4%
Covered Lines:	20347
Relevant Lines:	22904

---

💛 - Coveralls

[coveralls]

Pull Request Test Coverage Report for Build 9799065989

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 84.433%

---

Totals
Change from base Build 9767028772:	0.0%
Covered Lines:	20429
Relevant Lines:	22904

---

💛 - Coveralls