feat!: switch from CJS to ESM and bump Yeoman packages

[JoshuaKGoldberg]

Purpose of this pull request?

Fixes #265.

• Documentation update
• Bug fix
• Enhancement
• Other, please explain: package dependencies and module update

What changes did you make?

• Adds "type": "module" to the package.json
• Bumps all Yeoman dependencies to the latest: in particular the production deps yeoman-generator and yosay
• Bumps the package.json and build.yml Node.js versions to 18+
• WIP: Bumps Jest and switches it to its experimental ESM support

Is there anything you'd like reviewers to focus on?

I opted not to update other dependencies such as Chalk to keep the change minimal. I'd suggest we hold off releasing a new major version with these changes until those come in too

BREAKING CHANGE: Updates the Node.js engine minimum to ^18.17.0 || >=20.5.0 to align with the current "yeoman-generator" minimums.

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@jest/[email protected] ➜ 29.7.0	Transitive: eval	+17	922 kB	simenb
npm/[email protected]	environment Transitive: filesystem, shell	+5	65.1 kB	kentcdodds

🚮 Removed packages: npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

[JoshuaKGoldberg]

Partially blocked by #270 -> #271.

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	CI
Known malware	npm/@jridgewell/[email protected]	Note: Malicious code in gen-mapping (npm) Source: ghsa-malware (b4eec31ee330eb33aaa0bd7ce9a12d554bd6cad4d845e221ee1c01d5942a5ca3) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.	🚫

View full report↗︎

Next steps

What is known malware?

This package is malware. We have asked the package registry to remove it.

It is strongly recommended that malware is removed from your codebase.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/@jridgewell/[email protected]