spectacle: remediate critical and high security warnings

[Burnett2k]

https://github.com/FormidableLabs/spectacle/security/dependabot?q=is%3Aopen+severity%3Acritical%2Chigh

[Burnett2k]

I was able to get 2 PRs ready to go for this today. Unfortunately, most of the security updates are dependencies of dependencies, so it's not very straightforward to fix. The two remaining high vulnerabilities are:

• json5 -> used ts-jest & babel-core. This one might be fixable by upgrading both of these packages. I can take a look at that on Monday.
• trim -> this is referenced by remark-parse 8.0.3, but also @mdx-js/mdx. Unfortunately, we'd have to update mdx-js to v2 in order to fix this which has a lot of breaking changes and would take time to do. Not sure if it's worth it to fix or not. Maybe we should create a separate issue for that?

[Burnett2k]

We're now down to only a single vulnerability! I'll take a look at trim again to see if there's a path forward, but I found another github thread which makes it seem the only want to fix it is to do a major upgrade of remark and fix the breaking changes :(

[ryan-roemer]

I did a quick skim and I'm not sure there's a first class way to upgrade only sub-deps in PNPM. You could do this pretty straightforward with a package hook here: https://pnpm.io/pnpmfile -- but would add complexity and seems overkill for us here. A regexp DOS vulnerability seems really low impact likely for a presentation deck project....

[Burnett2k]

@ryan-roemer I agree it's probably not worth the effort to make a bunch of code changes for that vulnerability. Was just trying to clear up all the critical and sev warnings as part of the OSS audit bench task I've been assigned to.

[Burnett2k]

The remaining trim vulnerability and upgrades of spectacle packages will be handled under another issue https://github.com/orgs/FormidableLabs/projects/43/views/1?pane=issue&itemId=56373115#