Fix CVE-2023-26159 in follow-redirects 1.15.2

[issackjohn]

Affected files:

• package-lock.json
• /resources/newssite/news-next/package-lock.json
• /resources/newssite/news-site-css/package-lock.json
• /resources/todomvc/architecture-examples/angular/package-lock.json
• /resources/todomvc/architecture-examples/backbone/package-lock.json
• /resources/todomvc/architecture-examples/backbone-complex/package-lock.json
• /resources/todomvc/architecture-examples/preact/package-lock.json
• /resources/todomvc/architecture-examples/preact-complex/package-lock.json
• /resources/todomvc/architecture-examples/react/package-lock.json
• /resources/todomvc/architecture-examples/react-complex/package-lock.json
• /resources/todomvc/architecture-examples/react-redux/package-lock.json
• /resources/todomvc/architecture-examples/react-redux-complex/package-lock.json
• /resources/todomvc/architecture-examples/svelte/package-lock.json
• /resources/todomvc/architecture-examples/svelte-complex/package-lock.json
• /resources/todomvc/architecture-examples/vue/package-lock.json
• /resources/todomvc/architecture-examples/vue-complex/package-lock.json
• /resources/todomvc/big-dom-generator/package-lock.json
• /resources/todomvc/todomvc-css/package-lock.json
• /resources/todomvc/vanilla-examples/javascript-es5/package-lock.json
• /resources/todomvc/vanilla-examples/javascript-es5-complex/package-lock.json
• /resources/todomvc/vanilla-examples/javascript-es6-webpack/package-lock.json
• /resources/todomvc/vanilla-examples/javascript-es6-webpack-complex/package-lock.json
• /resources/todomvc/vanilla-examples/javascript-web-components/package-lock.json
• /resources/todomvc/vanilla-examples/javascript-web-components-complex/package-lock.json

closes #351

[bgrins]

Perhaps we should find a new static development http server module since http-server isn't receiving updates and we have very few features we actually need for local development, but this looks like a simple fix in the meantime.

[rniwa]

Adding "trivial change" label since this doesn't affect the actual benchmark content.

[issackjohn]

FYI: javascript-web-components & news-next had http-server listed as a dependency so I used npm install follow-redirects there instead of npm install follow-redirects --save-dev

[julienw]

It's not clear to me why you added follow-redirects as direct dependencies instead of just updating the package-lock file. npm audit fix should do this for you... including updating other things - we actually have others CVE (babel, semver, word-wrap, to mention only the ones at the top level), so why updating just follow-redirects?

BTW we're not affected by this specific CVE, because as you mentioned, follow-redirects is used for the proxy feature (and just if it's configured to follow redirects), but we're not using it.

[julienw]

Outdated by #360