Resolve vulnerabilities in root project

[ivanduplenskikh]

Description: Resolve npm audit vulnerabilities in the root package.json and fix the build-tooling fallout exposed by the upgrades.

Dependency changes (root package.json)

• Bump gulp-mocha ^7.0.2 → ^10.0.1 — clears the mocha → debug / diff / js-yaml / minimatch advisory chain (incl. high-severity minimatch ReDoS).
• Bump qs override 6.14.1 → ^6.14.2 — clears GHSA-w7fw-mjwx-w883 (the previous override was still inside the vulnerable range).
• Add serialize-javascript ^7.0.5 override — clears the high-severity serialize-javascript RCE/DoS advisories pulled in transitively via mocha@10.
• Remove gulp-util and @types/gulp-util — the package is deprecated and pulled in vulnerable lodash.template (high-severity command injection). All call sites replaced with stdlib equivalents.
• package-lock.json regenerated.

Code changes

• gulpfile.js:
  • Switch yargs initialization to the v18-compatible API (require('yargs')(hideBin(process.argv)).argv). The legacy singleton require('yargs').argv returns undefined in yargs 18 and was breaking gulp build in CI with Cannot read properties of undefined (reading 'testAreaPath').
  • Resolve the mocha CLI via require.resolve('mocha/package.json') instead of the hardcoded nested node_modules/gulp-mocha/node_modules/mocha/bin/_mocha path; with gulp-mocha@10 mocha is hoisted to the top-level node_modules.
  • Replace gutil.log(...) with console.log(...) and new gutil.PluginError('compileTasks', msg) with new Error('compileTasks: ' + msg).
• package.js:
  • Drop the gulp-util import and createError helper; replace gutil.PluginError constructions with plain Error and gutil.log with console.log.

Residual / known

• One advisory remains after these changes: uuid <14.0.0 reached via azure-pipelines-task-lib. There is no upstream fix (latest azure-pipelines-task-lib@5.2.10 still depends on uuid@^3 and uses the uuid/v4 subpath import). The advisory only affects v3/v5/v6 when a buf is provided; the v4 random path used here is not affected. A global uuid override is not viable because uuid v7+ removed subpath imports and would break vault.js.

Validation

• npm install clean.
• npm audit: down from 10 vulns (2 high, 3 moderate, 5 low) to 1 known/accepted moderate (uuid).
• npm run build exits 0 locally.

Documentation changes required: N

Added unit tests: N

Attached related issue: N

Checklist:

• Version was bumped - please check that version of the extension, task or library has been bumped.
• Checked that applied changes work as expected.

[azure-pipelines]

Azure Pipelines:
Successfully started running 1 pipeline(s).

[azure-pipelines]

Azure Pipelines:
Successfully started running 1 pipeline(s).

[azure-pipelines]

Azure Pipelines:
Successfully started running 1 pipeline(s).

[azure-pipelines]

Azure Pipelines:
Successfully started running 1 pipeline(s).