Usage of Vulnerable version of configstore module and depricated request module

[mallikde-kore]

Package Name: request@2.67.0

Issues:

1. Request module has been depricated.
2. current version of request is using cryptiles vulnerable version module which is depricated as well(CVE-2018-1000620). Suggesions:
3. As an immediate action, please upgrade request to latest version to mitigate the problem.
4. As a long term action, please try replacing request module with modules like axios/bent.

Package Name: configstore@2.1

Issue: Current version of configstore is using vulnerable version of dot-prop module. Suggesion: configstore fixed this vulneraility in 3.0.0 version. please upgrade configstore version higher than 3.0.0.

[sheerun]

This is purposeful as newer versions of request and configstore aren't compatilble with old node versions and Bower is in maintenance mode: we don't break backward compatibility. I determined that these vulnerabilities aren't important enough to subject new breaking-release. The preferred upgrade method for someone who really cares about security is to migrate to Yarn: https://bower.io/blog/2017/how-to-migrate-away-from-bower/