fix all known major and critical security issues

[marcoemrich]

mostly an upgrade to connect 3.4.1 was necessary.

This required using the new external basic-auth package since connect.basicAuth is no longer available, see http://www.senchalabs.org/connect/basicAuth.html

also did several (conservative npm audit fixes) and upgraded mocha to 6.x

all tests pass, which the exception of two test that was already broken:

• harp init doesn't overwrite an existing directory
• headers should be correct with a valid JS file I assume these test are not relevant any more

[sintaxi]

Thanks for the patch.

The tests don't seem to be completing for me on node v8.9.2. Are you seeing the same issue?

  93 passing (13s)
  1 failing

  1) headers
       should be correct with a valid JS file:
     Uncaught AssertionError [ERR_ASSERTION]: expected { 'accept-ranges': 'bytes',
  'cache-control': 'public, max-age=0',
  'last-modified': 'Thu, 24 Mar 2016 16:43:08 GMT',
  etag: 'W/"14-153a9821560"',
  'content-type': 'application/javascript; charset=UTF-8',
  'content-length': '20',
  date: 'Mon, 25 Mar 2019 19:07:18 GMT',
  connection: 'close' } to have property 'content-type' of 'application/javascript' (got 'application/javascript; charset=UTF-8')
      at Assertion.prop.(anonymous function) (node_modules/should/lib/should.js:61:14)
      at Request._callback (test/headers.js:39:29)
      at Request.self.callback (node_modules/request/request.js:185:22)
      at Request.<anonymous> (node_modules/request/request.js:1161:10)
      at IncomingMessage.<anonymous> (node_modules/request/request.js:1083:12)
      at endReadableNT (_stream_readable.js:1056:12)
      at _combinedTickCallback (internal/process/next_tick.js:138:11)
      at process._tickCallback (internal/process/next_tick.js:180:9)

[marcoemrich]

Sorry, this PR broke the test. I submit a new PR, with the test fixed.