Add npm audit hook to CI

[marutypes]

We should keep our libraries secure from known bad packages. We can use npm audit in our CI as a step towards this goal.

[marutypes]

We can't actually use this yet unless we switch off of yarn :(

[michenly]

There is a command call yarn audit to use for this now.

[GoodForOneFare]

fwiw, my current project hasn't found yarn audit to be very usable because:

• It fails an any flagged dependency (even it's an info warning, and you've set --level critical)
• It fails on deeply nested dependencies that would require multiple PRs in multiple repos to solve

So the effort involved in this would be:

• Adding a wrapper that ignores exit codes that aren't >= --level (or a PR to change Yarn's behaviour!)
• Constantly rabbit-holing through PRs in multiple 3rd party repos
• Also adding a 💩-list to the wrapper that unblocks CI while the above PRs churn

So I'm not saying it's useless, but it's not a 🎁 killer feature 😞