use extatic (a fork of ecstatic that will continue being maintained)

[Xmader]

Please ensure that your pull request fulfills these requirements:

• The pull request is being made against the master branch
• Tests for the changes have been added (for bug fixes / features)

What is the purpose of this pull request? (bug fix, enhancement, new feature,...)

Fixes #525
Fixes #502

What changes did you make?

use extatic (a fork of ecstatic that will continue being maintained) instead of the original ecstatic since ecstatic is unmaintained and deprecated

Provide some example code that this change will affect, if applicable:

N/A

[thornjad]

I'm not opposed to this, since it may provide a few benefits. We're very slowly working on rewriting http-server, possibly absorbing ecstatic's functionality into this repo, so this may end up being just a stop-gap for just the next two versions or so, would that be alright?

Also, we need to merge or rebase master here, especially because there's been an important update to vows that we need to get tests running.

[tchakabam]

@thornjad is http-server now still relying on ecstatic, or this fork, or has "absorbed" the functionality?

because the package.json here still seems to refer to a version prior the critical security fix,

see GHSA-jc84-3g44-wf2q

and which got fixed with a v4.1.3 release ecstatic, see

jfhbrook/node-ecstatic@72044b8

and

https://github.com/jfhbrook/node-ecstatic/releases/tag/4.1.3

(which doesn't however change the fact the original project is officially deprecated and not maintained anymore)

The critical question here being, isn't http-server as well exposed to the above mentioned exploit threat?

(actually asking as http-server is used in a customers projects for a currently-still-testing-setup, but still...)

[thornjad]

Closing in favor of #693