Remove mason-js dependency

[springmeyer]

The mason-js dependency is unmaintained and frozen, but still currently used inside of vtcomposite. It has been unmaintained since 2018. For a while it seemed like mason-js would again see maintenance (enough that security issues related to out-of-date binaries and mason-js JS dependencies could be mitigated). But, in effect, mason-js not been maintained since 2018 and therefore I think it is critical to acknowledge this and take action downstream (here).

So, my recommendation is to remove the dependence on mason-js in vtcomposite.

To do this would involve:

• Removing mason-js from

  vtcomposite/package.json

  Line 20 in ffdea5a

  "@mapbox/mason-js": "^0.1.5"

• Removing the mason-versions.ini
• Implementing an alternative method for fetching up to date and reliable versions of dependencies that are currently being installed by mason-js