Dependency & packaging cleanup

[dalberola]

Dependency hygiene in packages/dredd (mostly [verified]).

• chai@4.5.0 is in dependencies but never imported in lib/ (grep confirms it's test-only) — it ships to end users. Move to devDependencies. First confirm no hooks docs promise that Dredd provides chai transitively. [verified]
• Stale htmlencode@0.0.5 (2013) used for XML escaping in packages/dredd/lib/reporters/XUnitReporter.js, and html@1.0.0 in prettifyResponse.js. Evaluate maintained alternatives (entities / he). [verified]
• Winston is already 3.19.0 but the v2 compat shim and the "once we upgrade Winston, simplify to .log(loggerInfo)" FIXME remain at packages/dredd/lib/Dredd.js:226-234. Simplification is now unblocked. [verified]
• proxyquire is used at runtime to load hook files (addHooks.js) — heavyweight for one use; consider a lighter mechanism. (Note, not a bug.)
• Revisit resolutions.ansi-regex: 5.0.1 — install warns it's incompatible with requested ^6.x. [verified]

(Not a finding: resolutions.lodash: 4.18.1 is valid — that is the current latest.)

Tasks

• Move chai to devDependencies (after confirming hook docs).
• Replace/justify htmlencode and html.
• Remove the Winston-2 compat shim and stale FIXME.
• Revisit the ansi-regex resolution pin.

[dalberola]

Investigated each item before changing anything. Two of the five are load-bearing, not cleanup — reclassifying as won't-do with evidence:

• Move chai to devDependencies Keep as-is (by design). docs/hooks/js.rst:178 documents var assert = require('chai').assert; inside hook files and never tells users to install chai themselves — Dredd shipping chai as a dependency is what makes the documented hook-assertion API work. Moving it would break user hooks at runtime (Cannot find module 'chai'). The audit was right that lib/ never imports chai, but it's part of the public hook API surface.
• Revisit resolutions.ansi-regex: 5.0.1 Keep the pin (by design). Verified ansi-regex@6.x is type: module (ESM-only); 5.0.1 is CommonJS. The pin forces every transitive consumer onto the CJS build. Removing it would resolve ESM-only 6.x for some consumers and break require() in this CommonJS project — so it's an ESM-migration blocker, not a stale leftover. The install-time "incompatible" warnings are expected and harmless.

Remaining as optional polish (each needs output-fidelity verification, low priority):

• Replace stale htmlencode@0.0.5 in XUnitReporter — needs XUnit output diff before/after.
• Remove the Winston-2 compat shim at Dredd.js:226 now that Winston is 3.19 — needs logging-output verification.
• proxyquire runtime use is a noted design smell, not a bug — no action.

Re-scoping this issue to just the two optional polish items.

[dalberola]

Tech-lead assessment after investigating the two remaining items — both are low-value polish with real output-sensitivity, so deferring rather than churning working code:

• Remove the Winston-2 compat shim (`Dredd.js` + `createConsoleLogger.js`) — the shim is a deliberate byte-for-byte reproduction of Winston 2 console output. The FIXME simplification (`.log(level, message)` → `.log(loggerInfo)`) is cosmetic and would risk changing verified log formatting. Not worth the regression risk for no functional gain.
• Swap `htmlencode@0.0.5` — it works; no test pins its output, so replacing it would be an unverified behavior change (it entity-encodes non-ASCII; minimal XML escapers don't) for the marginal benefit of dropping one old dep.

(`chai` and the `ansi-regex` resolution were already reclassified as by-design above.) Leaving this open as low-priority; pick up only if modernizing deps with output snapshots in place.