🔒️ Fix Dependabot Alerts & Prepare for Node.js Upgrade (#990) (#991)

[mistryrn]

Upgrade (almost) ALL the dependencies! 🎉

Dozens of dependency upgrades to resolve nearly 50 Dependabot alerts for #990 . Notable upgrades include: react-scripts, emotion, and babel. Also enables the app to build and run on the latest LTS Node.js v16 for #991 .

Due to major version change of emotion, all css and styled imports in the UI had to be updated.

There are LOTS of new linter warnings, but those will be resolved in a future PR.

Deploy Instructions

Unknown at this time. May require clearing the node_modules directories in each project before doing the yarn install. Will be tested on collab to find out.

UPDATE 05/30/2022: after testing the deploy on collab, no extra steps were required. It was noted, however, that build times take much longer.

UPDATE 05/31/2022: a subsequent PR has been created to fix all the new linter warnings that have sprung up following the dependency upgrades. This appears to have improved build times a bit: https://github.com/nci-hcmi-catalog/portal/pull/994

Commits

⬆️ Upgrade express-restify-mongoose to v6.1.2 (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Upgrades or eliminates the following vulnerable dependencies to resolve security alerts:
  • mongoose@^4.13.19
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/35
  • async@2.6.1 (partial)
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/29
  • bson@~1.0.4
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/52
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/12
  • mpath@0.5.1 (partial)
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/58
  • mquery@2.3.3
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/41
  • mongodb@2.2.34 (partial)
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/38

⬆️ Upgrade migrate-mongo to v8.2.2 (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Upgrades or eliminates the following vulnerable dependencies to resolve security alerts:
  • moment@2.22.2
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/26
  • mongodb@3.1.6 (partial)
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/38
  • async@2.6.1 (partial)
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/29
• NOTE: stuck at v8.2.2 until Node.js upgrade. Will upgrade this package to latest once using the latest Node.js

⬆️ Upgrade moment-timezone to v0.5.34 (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Resolves the following security alert:
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/26

⬆️ Upgrade nodemon to v2.0.16 (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Upgrades nodemon to partially resolve the following Dependabot security alert:
  • chokidar@^2.0.0, chokidar@^2.1.8 -> chokidar@^3.5.2
  • glob-parent@^3.1.0 -> glob-parent@~5.1.2
    • https://github.com/nci-hcmi-catalog/portal/security/dependabot/54

⬆️ Upgrade yup to v0.32.11 (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Upgrades yup to resolve the following security alert in one of its dependencies:
  • property-expr@^1.5.0 -> property-expr@^2.0.4
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/51

⬆️ Upgrade googleapis to v100 (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Upgrade googleapis and its dependencies to partially resolve the following security alerts in node-forge:
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/5
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/6
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/8
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/22
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/23
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/24

⬆️ Upgrade json-schema to v0.4.0 (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Resolves the following security alert: https://github.com/nci-hcmi-catalog/portal/security/dependabot/62

⬆️ Upgrade eslint to v7.32.0 (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Resolves the following security alert for the vulnerable dependency ajv:
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/14

⬆️ Upgrade mpath to v0.8.4 (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Uses forced resolutions to upgrade mpath from 0.8.3 to 0.8.4, since the package requiring it is no longer maintained

• Resolves the following security alert:

  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/58

  🚨 Update browserslist and caniuse-lite

• Update installed versions of browserslist and caniuse-lite to clean up compiler warnings that were happening on each install and run of the application

⬆️ Upgrade react-scripts, Enable Node.js v16 Upgrade (https://github.com/nci-hcmi-catalog/portal/issues/990) (https://github.com/nci-hcmi-catalog/portal/issues/991)

• Upgrades react-scripts from v2.0.3 to v4.0.3
• Major upgrades to eslint, babel, emotion, and other configs
• Upgrade sharp to v0.28.3 to prevent breaking on builds under Node.js 16
• Upgrade and refactor uuid usage to prevent breaking on builds under Node.js 16
• Numerous dependency upgrades to resolve the following Dependabot Security Alerts:
  • react-dev-utils@^6.0.3 -> 11.0.4
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/44
  • ssri@^5.2.4 -> 6.0.2
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/49
  • serialize-javascript@^1.4.0 -> 3.1.0
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/37
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/36
  • webpack-dev-server@3.1.9 -> 3.1.11
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/31
  • postcss (^6.0.1, ^6.0.23) -> 7.0.36
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/65
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/55
  • json-schema@0.2.3 -> 0.4.0
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/62
  • sockjs@0.3.19 -> 0.3.20
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/50

💚 Fix yarn.lock file (https://github.com/nci-hcmi-catalog/portal/issues/990)

⬆️ Upgrade @babel/cli and other dependencies (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Minor version upgrades to various dependencies, including:
  • @babel/cli -> 7.17.10
  • aws-sdk -> 2.1140.0
  • axios -> 0.21.4
  • react-modal -> 3.15.1
  • react-scroll -> 1.8.7

⬆️ Upgrade react-app-polyfill (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Upgrade react-app-polyfill from v^0.2.0 to v^2.0.0

➖ Remove unused express-inspector dependency (https://github.com/nci-hcmi-catalog/portal/issues/990)

⬆️ Upgrade babel-jest, jest, and yargs in data_model (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Upgrades several outdated dependencies in the data_model project, resolving the following security vulnerabilities:
  • async -> ^2.6.4
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/29
  • braces@^1.8.2 -> ^2.3.1:
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/47
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/32
  • mem@^1.1.0 -> ^4.0.0
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/33
  • merge@^1.2.0 -> ^2.1.1
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/45
  • node-notifier@^5.4.5 -> ^8.0.1
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/42
  • yargs-parser@(^8.1.0, ^9.0.2, ^10.1.0) -> ^13.1.2
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/39

⬆️ Upgrade selfsigned (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Resolves the following security vulnerabilities:
  • node-forge@^0.10.0 -> ^1.3.0
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/24
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/23
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/22
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/8
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/6
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/5

🔒️ Force immer to v9.0.14 (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Force immer to resolve to v9.0.14 to fix the following security vulnerabilities:
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/59
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/57
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/43

🔒️ Force ansi-html to v0.0.9 (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Force ansi-html to resolve to v0.0.9 to fix the following security vulnerability:
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/66

🔒️ Force browserslist to v4.20.3 (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Force browserslist to resolve to v4.20.3 to fix the following security vulnerability:
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/53

🔒️ Force graphiql to v1.9.3 (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Force graphiql to resolve to v1.9.3 to fix the following vulnerabilities:
  • graphiql@^0.11.11 -> ^1.4.7:
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/1
  • markdown-it@^8.4.0 -> ^12.3.2:
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/3
  • cross-fetch@2.2.2 -> ^2.2.6:
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/70

🔒️ Force isomorphic-fetch to v3.0.0 (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Force isomorphic-fetch to resolve to v3.0.0 to fix the following security vulnerabilities in node-fetch:
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/63
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/40

⬇️ Bump graphiql forced resolution down to v1.7.2 (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Drop the forced resolution version for graphiql from 1.9.4 to 1.7.2 to avoid node engine error with node <= 12

🔒️ Force glob-parent to v6.0.2 (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Force glob-parent to resolve to v6.0.2 to fix the following security vulnerability:
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/54

🔒️ Force css-select to v4.3.0 (https://github.com/nci-hcmi-catalog/portal/issues/990)

• Force css-select to resolve to v4.3.0 to fix a security vulnerability with nth-check < 2.0.1:
  • https://github.com/nci-hcmi-catalog/portal/security/dependabot/61