src: add NODE_SECURITY_REVERT environment variable

Some vendors do not allow passing custom command-line flags to the node executable. There are concerns around allowing --security-revert in NODE_OPTIONS because it might be inherited by child processes unintentionally.

This patch introduces a new environment variable that, if set, is unset immediately unless it ends with "+sticky". Aside from that optional suffix, its value is a comma-separated list of CVE identifiers for which the respective security patches should be reverted.

This is not a particularly elegant approach, but since this should only be used under exceptional circumstances, I am not too worried about that.

Closes: https://github.com/nodejs/node/issues/52017

---