[Feature Request] Long-term Moq strategy

[codeofdusk]

This applies to both Accessibility Insights for Windows and Axe.Windows, filing here for tracking of both.

Is your feature request related to a problem? Please describe.
Since 4.20.x, Moq has introduced a privacy vulnerability that improperly handles user data, see moq/moq#1372. In #1677 and microsoft/axe-windows#963, @madalynrose pinned our Moq version to 4.18.4.

Describe the solution you'd like
We should consider switching to an alternative unit testing library such as NSubstitute or a community backed Moq fork when or if one emerges. If we choose NSubstitute, we might be able to automate part of the migration. It might make sense to do such a migration in stages, similar to microsoft/accessibility-insights-web#2869.

Describe alternatives you've considered
Continue to use Moq 4.18 indefinitely, with an understanding that we will likely be unable to take any updates to the library going forward.

[microsoft-github-policy-service]

This issue has been marked as ready for team triage; we will triage it in our weekly review and update the issue. Thank you for contributing to Accessibility Insights!

[DaveTryon]

We want to wait and see what happens with the broader community on this

[ChristoWolf]

I have worked with Moq, NSubstitute and FakeItEasy over the years and I have to say that I prefer FakeItEasy by far.

Also, not only was the Moq fiasco legally dubious, but they even used their versions for memeing (v4.20 instead of v4.19, v4.20.69).
Such things are not a great look when you have to provide SBOMs to regulatory bodies and customers.