Bump node-fetch from 2.6.0 to 2.6.1

[daggy1234]

While a low severity issue, node-fetch 2.6.0 has vulnerabilities. It is a good idea to bump node-fetch used from 2.6.0 to 2.6.1.

https://github.com/node-fetch/node-fetch/blob/master/docs/CHANGELOG.md#v261

Thats about it!

[google-cla]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

---

What to do if you already signed the CLA

Individual signers

• It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.

Corporate signers

• Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
• The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
• The email used to register you as an authorized contributor must also be attached to your GitHub account.

ℹ️ Googlers: Go here for more info.

[daggy1234]

@googlebot I signed it!

[esimons]

Possible to piggyback a patch update of the cross-fetch dependency? Related request in that the current version specified (cross-fetch@3.0.5) itself has an inflexible dependency on node-fetch@2.6.0 --- updating to cross-fetch@3.0.6 should update the transitive node-fetch dep per lquixada/cross-fetch@1d277e5

Edit: Can we also expand scope of PR to include additional packages? e.g. lighthouse-plugin-amp; toolbox-linter; toolbox-cli

[DullReferenceException]

Related: #916

[daggy1234]

So based on the discussion, I bumped both cross-fetch and node-fetch to semver. All instances of both were bumped!

[kmdev1]

Thanks @daggy1234 for creating a PR!

What's the best away getting around to getting this merged? 🎉 It'd be great to see the vulnerability patched 😄

[CLAassistant]

All committers have signed the CLA.

[daggy1234]

I think its ready