Disable node integration in worker

[jackkav]

motivation: turn web worker into a sandbox capable of limiting what can be done from a nunjucks crafted tag. eg {{ require('fs').rmdir('/Users') }}

approach: build fewest bridges as possible to limit exploitable surface, therefore maximise use of available browser apis.

consequences of this approach:

• deprecating md5 support because its no longer supporting in browsers (see wikipedia md5 page)
• moving spectral to utility process slows it down a bit but also solves bundling ambiguity
• I chose to keep iconv-lite for decoding since i cant be sure how its being used and it doesn't seem risky to expose
• jsonpath runs in a safer place now

todo

• use polyfills where possible (url,uuid,crypto)
• create bridges for required node/npm modules
• tidy up require interceptor and vite config
• fix spectral lint
• fix elevated extensions
• test bridges
• test polyfills
• abstract fetch bridge to ease typing and avoid typos
• review bridge granularity in light of plugin api goals
• move jsonpath-plus to devDeps in order to use browser versions
• scope out spectral changes and find a simple way to degrade
• avoid out the nothing true workaround

For later

• still offers readFile, we could limit paths?
• still offers email from os.userInfo()

issues

• spectral doesn't play nice with our settings so they don't resolve to browser versions when we try to use them in the worker directly, complaining of missing require
• playwright timeouts, previously we were timing out the action which discarded any progress, i moved the timeout to playwright and made the action timeout longer so it didn't discard time outs.

[cwangsmv]

Request => URL & Request => Cookie tag will fail.
It seemed that with nodeIntegrationInWorker: false, there is no document API in Webwork which leads to the failure of smartEncodeUrl used for these two tags