update dependencies

[jfrerich]

Summary

In prep for the v0.1.0 release, we should fix these dependabot alerts.

Ticket Link

n/a

[codecov[bot]]

Codecov Report

Merging #55 into master will increase coverage by 2.04%. The diff coverage is n/a.

@@            Coverage Diff             @@
##           master      #55      +/-   ##
==========================================
+ Coverage   26.23%   28.27%   +2.04%     
==========================================
  Files           6        6              
  Lines         343      343              
==========================================
+ Hits           90       97       +7     
+ Misses        235      229       -6     
+ Partials       18       17       -1     

Impacted Files	Coverage Δ
server/utils.go	95.12% <0.00%> (+17.07%)	:arrow_up:

---

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 0f165d1...5489921. Read the comment docs.

[jfrerich]

@hanzei, package-lock.json changed considerably after running npm audit fix.

After running npm install on master, we see the following:

After running npm audit fix the low severity packages were also updated.

It looks like Dependabot only highlights medium and high severity issues, but running npm audit fix fixes the low severity dependencies also.

If we prefer only to fix the two dependabot notifications, I can rerun the following and reduce the total number of dependency updates:

• npm install --save-dev serialize-javascript@3.1.0
• npm install --save-dev minimist@0.2.1

[hanzei]

I'm 1/5 to only fix the ones that Dependabot reports. We don't have a process for the other ones.

If there is an easy way to fix only these two, I would prefer it, but if there is none, I'm fine with using npm audit fix.

[hanzei]

It might be fine to skip QA review here, as release testing is coming up soon after.

[jfrerich]

agree! Merging!