update yaml-js dev dependency to make npm audit happy

[mswaidan]

no 🚨 🚨 🚨 on npm install plz: https://www.npmjs.com/advisories/788

[didimitrie]

heya @mswaidan!!! would merge this, but there's this little nagging question: afaik, package-lock.json gets rewritten on every npm install. see this.

Subsequently, which top level dependency requires js-yaml, and if there's a new version that updates its requirements, we'll need to update that one to solve the ☣️🚨☣️🚨on install.

Welcome to npm hell. I might be wrong re the behaviour of package-lock.json - so can stand corrected!

[mswaidan]

Hey @didimitrie - long time, no speckle!

I just ran npm audit fix to make this change, but looking into it further:

• I think package-lock.json should only be overwritten if changes are incompatible with package.json: #3 here
• npm ls js-yaml shows that eslint@@5.9.0 is the parent dependency.
• eslint@@5.9.0 asks for "js-yaml": "^3.12.0"
• So, package-lock.json won't be overwritten unless we specify a semver incompatible js-yaml version.
• This PR specifies 3.13.1, which should be compatible.
• So, the change in this PR shouldn't cause re-writes of package-lock.json

After looking into it, I think this should be okay to merge. But I could be wrong!

[didimitrie]

thanks matt! merged it - and learned some new things to, which is the best 😎