feat(msvs): add SpectreMitigation attribute

[rzhao271]

Backport of https://chromium-review.googlesource.com/c/external/gyp/+/4265144

Description from upstream:

Add SpectreMitigation attribute for msvs

This CL allows gyp to recognize the SpectreMitigation msvs_attribute
and add it to the generated vcxproj file for MSBuild.
Possible values for the attribute are Spectre, SpectreLoad,
SpectreLoadCF, and false.

The /Qspectre compiler option is not enough to add
full Spectre mitigation, because even though it causes MSBuild
to add additional instructions to the generated object files,
it does not cause MSBuild to link against Spectre-mitigated
libraries provided by Visual Studio.

[rzhao271]

Hi @cclauss, is this PR ready to be merged?

[cclauss]

I am not a Windows user so a maintainer with that knowledge will need to approve.
@nodejs/platform-windows

[rzhao271]

Could a reviewer from platform-windows take a look? This PR is blocking node-gyp, and in turn, native node modules, from adopting Spectre Mitigation in accordance with microsoft/binskim policies.

[targos]

/cc @joaocgreis @StefanStojanovic

[StefanStojanovic]

LGTM! To add a few things I noticed while testing:

• Since VS2015 is supported for building Node.JS Addons, and SpectreMitigation is available only in VS2017 and later, if VS2015 is used adding this attribute will have no effect.
• Using VS that supports SpectreMitigation (I tested on VS2017), compilation will fail if the wrong value is set or a required component is not installed. The messages in these cases are very informative, so users should know what to do.