build(npm): improve state of npm audit and vulnerabilities

[Splaktar]

Bug, enhancement request, or proposal:

Security audit compliance

Steps to reproduce the issue:

Detailed Reproduction Steps:

1. npm audit

What is the expected behavior?

There should be a minimal, near zero, amount of known vulnerabilities in the libraries used by AngularJS Material, even for builds.

What is the current behavior?

found 140 vulnerabilities (63 low, 44 moderate, 31 high, 2 critical) in 6293 scanned packages
run npm audit fix to fix 47 of them.
86 vulnerabilities require semver-major dependency updates.
7 vulnerabilities require manual review. See the full report for details.

What is the use-case or motivation for changing an existing behavior?

Security audit compliance

Which versions of AngularJS, Material, OS, and browsers are affected?

• AngularJS Material: 1.1.9

Is there anything else we should know? Stack Traces, Screenshots, etc.

[Splaktar]

gulp-sass is one of the big issues atm. It's tracked separately in #11270.

[Splaktar]

Opened avevlad/gulp-connect#256.

[Splaktar]

Looked into upgrading to Gulp 4.0.0, but there are major breaking changes that will require some significant effort to resolve. They want you to use named functions now instead of named tasks from the task registry. This means that our process for registering all tasks from files at the start will need some changes. Also the way dependencies is handled is totally different, moving from a list of task string names to a new gulp.series and gulp.parallel syntax.

By not upgrading to Gulp 4.0.0, we keep the following vulnerabilities

• +4 High
• +1 Low

This post is fairly helpful on the more straightforward parts of the migration.

[Splaktar]

Looked into upgrading Karma to 2.0.4 but that gives about 150 test failures due to Error: 'afterEach' should only be used in 'describe' function. It looks like we must be using that in some it blocks.

By not upgrading to Karma 2.0.4, we keep the following vulnerabilities

• +3 High
• -13 Moderate
• +8 Low

[Splaktar]

I got down to around found 37 vulnerabilities (17 low, 10 moderate, 10 high) but while I could run the docs site in dev mode, I was still seeing 150-180 test failures. Will investigate more later...

[Splaktar]

OK, I've got the tests passing and the warnings down to found 32 vulnerabilities (17 low, 5 moderate, 10 high). Note that this means that all critical warnings are resolved.

[Splaktar]

PR #11527 opened to update gulp-connect to the latest version now that avevlad/gulp-connect#256 is fixed.

There's a somewhat related gulp-connect issue that was opened for the event-stream vulnerability: avevlad/gulp-connect#259