Convert excerpt to Preact (2/n)

The prop name `overflowHysteresis` was frequently typo-d and is also
misleading as the excerpt doesn't remember the history of the overflow
value, it just uses it as a fixed threshold. Rename it to
`overflowThreshold` instead.

Also improve / simplify a few JSDoc comments per PR feedback.

Warn in JSON-RPC server if message is dropped by origin filter

Remove (some) deprecated SCSS color variables

`$color-cardinal` and `$gray-lightest` have no references in existing
SCSS

Also remove now-unused utility class for cancel buttons—this pattern
is only used in one place and may be on the way out in general.

Sub with `$grey-4`, which is identical (`#a6a6a6`). Part of consolidating
CSS colors.

Sub with `$grey-1`, which is virtually identical (`$color-seashell` was
`#f1f1f1`, `$grey-1` is `#f2f2f2`. Part of consolidating CSS colors.

 - Use `is` prefix for boolean vars consistently

 - Note that the inline controls are optional

 - Clarify units of numeric props

 - Use parens to clarify precedence in a couple of expressions. This
   required overruling Prettier's formatting of these.

Convert the `Excerpt` component to Preact. Rather than convert the
existing implementation verbatim, this is a completely new implementation which
should be easier to understand and use. Instead of requiring callers to
provide an input property which represents the displayed data, which triggers a
re-measurement if it changes, the new implementation observes the DOM
directly for size changes.

This component renders caller-provided content (ie. it accepts a `children`
prop), which is not supported by the Preact <-> Angular bridge. Therefore it was
also necessary to create components (`AnnotationBody`, `AnnotationQuote`) that
encapsulate uses of `Excerpt` inside the `<annotation>` component.

 - Add `observe-element-size` utility module to watch for changes in
   the size of a DOM node using APIs available in the current browser

 - Add new `Excerpt` implementation and remove the old one

 - Remove `excerpt-overflow-monitor` utility that is not used by the new
   implementation

 - Add `AnnotationBody` component to render an annotation's markup body
   inside a (new) excerpt and convert the Angular template for
   `<annotation>` (annotation.html) to use it.

 - Add `AnnotationQuote` component to render an annotation's quote
   inside an excerpt and convert `annotation.html` to use it

Convert excerpt to Preact (1/n) - Add a utility to observe element size changes

Address some confusion I encountered while testing
https://github.com/hypothesis/lms/pull/1157/ where JSON-RPC messages
from the lms app to the client would be silently dropped if the
`rpcAllowedOrigins` config was not set correctly.

Log a console warning when this happens to make the problem more
obvious.  Before warning though, filter out non JSON-RPC messages
because there are various other sources of "message" events which the
client is likely to receive and which we don't want to result in warning
spam.

Show focus ring on annotator toolbar buttons when using keyboard focus

[Security] Bump https-proxy-agent from 2.2.2 to 2.2.4

Reduce test startup time when running a subset of tests

Bumps [https-proxy-agent](https://github.com/TooTallNate/node-https-proxy-agent) from 2.2.2 to 2.2.4. **This update includes security fixes.**
- [Release notes](https://github.com/TooTallNate/node-https-proxy-agent/releases)
- [Commits](https://github.com/TooTallNate/node-https-proxy-agent/compare/2.2.2...2.2.4)
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Bump fetch-mock from 6.5.2 to 8.0.0

The entry point for fetch-mock v8 is an ES module which Browserify does
not support natively. Therefore use the CommonJS entry point as
described at http://www.wheresrhys.co.uk/fetch-mock/#usageimporting.

Bump npm-packlist from 1.4.6 to 2.0.1

Bump @sentry/browser from 5.7.1 to 5.9.0

Bump sass from 1.23.3 to 1.23.6

Bump commander from 3.0.2 to 4.0.1

Bumps [sass](https://github.com/sass/dart-sass) from 1.23.3 to 1.23.6.
- [Release notes](https://github.com/sass/dart-sass/releases)
- [Changelog](https://github.com/sass/dart-sass/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sass/dart-sass/compare/1.23.3...1.23.6)
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Bumps [enzyme-adapter-preact-pure](https://github.com/preactjs/enzyme-adapter-preact-pure) from 2.1.0 to 2.2.0.
- [Release notes](https://github.com/preactjs/enzyme-adapter-preact-pure/releases)
- [Changelog](https://github.com/preactjs/enzyme-adapter-preact-pure/blob/master/CHANGELOG.md)
- [Commits](https://github.com/preactjs/enzyme-adapter-preact-pure/compare/v2.1.0...v2.2.0)
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Bumps [@sentry/browser](https://github.com/getsentry/sentry-javascript) from 5.7.1 to 5.9.0.
- [Release notes](https://github.com/getsentry/sentry-javascript/releases)
- [Changelog](https://github.com/getsentry/sentry-javascript/blob/master/CHANGELOG.md)
- [Commits](https://github.com/getsentry/sentry-javascript/compare/5.7.1...5.9.0)
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Bumps [aws-sdk](https://github.com/aws/aws-sdk-js) from 2.556.0 to 2.573.0.
- [Release notes](https://github.com/aws/aws-sdk-js/releases)
- [Changelog](https://github.com/aws/aws-sdk-js/blob/master/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-js/compare/v2.556.0...v2.573.0)
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Bumps [npm-packlist](https://github.com/npm/npm-packlist) from 1.4.6 to 2.0.1.
- [Release notes](https://github.com/npm/npm-packlist/releases)
- [Commits](https://github.com/npm/npm-packlist/compare/v1.4.6...v2.0.1)
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Bumps [fetch-mock](https://github.com/wheresrhys/fetch-mock) from 6.5.2 to 8.0.0.
- [Release notes](https://github.com/wheresrhys/fetch-mock/releases)
- [Commits](https://github.com/wheresrhys/fetch-mock/compare/v6.5.2...v8.0.0)
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Bumps [@octokit/rest](https://github.com/octokit/rest.js) from 16.34.0 to 16.35.0.
- [Release notes](https://github.com/octokit/rest.js/releases)
- [Commits](https://github.com/octokit/rest.js/compare/v16.34.0...v16.35.0)
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Add changeFocusModeUser action

- Edit `cross-origin-rpc.js` server to be able to call actions.
- Add registerMethods rpc whitelist mapping function

Add hook to tell an element to close if interactions happen outside of it

Prevent errors arising from applying private permissions to anonymous annotations

As a convenience, the app retains the last permissions level used by a user when publishing an annotation. For example, if a user creates and saves and annotation that is set to “only me”/private, the app stashes that as a pseudo-preference in `localStorage` and the next time a user creates a new annotation, that will be the default permissions level applied to it. This makes it easier to create several subsequent annotations that have the same permissions/sharing setting.

There is a bug in this approach, however, which before this patch happened when:

* A Hypothesis user creates an annotation and sets the permissions to “private” (only me) and saves the annotation successfully to the `h` service, then;
* The Hypothesis user logs out, then;
* The same person in the same browser (now an anonymous user from Hypothesis’ perspective) selects some text and clicks “annotate., then;
* The user is shown an error message that they must log in to create annotations: they click “Log In”

Before this fix, the user then would see an error “Cannot read property ‘split’ of null” in an error flash and the login process would not successfully complete. The only workaround was to reload the browser window and try again.

After this fix, the user will not see an error after the sequence detailed above and the login process will complete.

This fix is achieved by preventing the app from attempting to apply default permissions of “only me”/private when no `userid` is available. Doing so creates corrupted permissions on the annotation which throw `TypeError`s when later iterated over.

There are several further fixes necessary to fully clean up this situation, but this patches over the immediate user-visible bug.

Fixes https://github.com/hypothesis/client/issues/1221