[23.05] hedgedoc: apply patch for CVE-2023-38487

[yu-re-ka]

Description of changes

See #246259

Updating to 1.9.8+ requires entirely reworking the packaging because it no
longer uses Yarn 1.x lockfiles.
Instead we just apply the patch.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.11 Release Notes (or backporting 23.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[SuperSandro2000]

We are missing two patch releases with other fixes which we should backport instead of this.

The package rework should be completely ignorable for most people and unless you overlaying hedgedoc I don't see how it could break things.

[yu-re-ka]

Technically these are patch/fix releases, but the content of those releases - removing support for certain nodejs and yarn versions, and changes to the user interface - is barely a patch/fix release kind of change.
The diff from 1.9.7 to 1.9.9 is 51 changed files with 18,774 additions and 12,560 deletions.
This is why I would say the risk of breaking stuff is quite high, and we should only backport important bug/security fixes on top of 1.9.7 for NixOS 23.05.

[SuperSandro2000]

and changes to the user interface

I am not sure to which change you are referring.

removing support for certain nodejs and yarn versions,

Yeah, because it was necessary to fix bugs in dependency resolution. I am sure they didn't take that decision lightly. 23.05 is on nodejs_18 and I already tested the update on a real deployment and it went smooth as butter.

I am the maintainer of hedgedoc and I am against doing such patchery since I can't test it and I don't expect upstream to provide any kind of help in case anything doesn't work.

I have created #246327 as an alternative to this and I kindly asking to not merge this PR.