Merge pull request #2440 from cfpb/2439-high-and-moderate-security-fixes

chore(deps): resolve outstanding high and moderate security vulnerabilities

Let's fix up the remaining high and moderate severity vulnerabilities. This goes through and cherry-picks commits from dependabot PRs and combines it with a few that had to be manually fixed.

🚀 Currently on Dev as v3.2.3h 🚀

## Changes

### Dependabot cherry-picked commits
- micromatch from 4.0.7 to 4.0.8 
- nanoid from 3.3.7 to 3.3.8 
- path-to-regexp from 1.8.0 to 1.9.0 
- @babel/runtime from 7.24.8 to 7.26.10 
- vite from 5.4.7 to 5.4.12 
- elliptic from 6.5.6 to 6.6.1 

### Manual dependency bumps
- chore(deps): resolve esbuild to 0.25.0
  - see vitejs/vite#19412 for explanation
- chore(deps): resolve dompurify to 3.2.4
  - see parallax/jsPDF#3825 for explanation
- chore(deps): resolve canvg to 3.0.11
  - see parallax/jsPDF#3834 for explanation
  - bumping this to 3.0.11 won't get rid of the dependabot alert, but does fix the vulnerability. We'll wait for [the jspdf patch](parallax/jsPDF#3834).

## Testing

1. Do the tests still pass on Dev?
_Looks like only the expected tests to fail on Dev are failing_
![Screenshot 2025-03-17 at 5 24 30 PM](https://github.com/user-attachments/assets/26695629-cf42-463d-8eae-93ac2525d924)

2. Does the site still behave normally?

Author: billhimmelsbach

package.json

@@ -94,7 +94,7 @@
     "jest": "^29.7.0",
     "react-icons": "^4.4.0",
     "serialize-javascript": "5.0.1",
-    "vite": "5.4.7",
+    "vite": "5.4.12",
     "vite-plugin-node-polyfills": "^0.19.0",
     "vite-plugin-svgr": "^4.1.0"
   },
@@ -113,7 +113,10 @@
     "semver": ">=7.5.2",
     "tough-cookie": ">=4.1.3",
     "word-wrap": ">=1.2.4",
-    "browserify-sign": ">=4.2.2"
+    "browserify-sign": ">=4.2.2",
+    "dompurify": "3.2.4",
+    "esbuild": "0.25.0",
+    "canvg": "3.0.11"
   },
   "packageManager": "[email protected]"
 }