fix: remove/upgrade outdated deps

[JJ]

As described in #10

PR Checklist:

• I have run npm test locally and all tests are passing.
• I have added/updated tests for any new behavior.
  
• If this is a significant change, an issue has already been created where the problem / solution was discussed:
  • Prototype pollution method in js-prim (introduced through http-signature) #10
  • Most packages need some upgrade #12

PR Description

Was: Essentially upgrade to the version where it was patched.
Now: Well,

• The karma suite has been upgraded, mainly because some of them were incompatible with current versions of node
• I've eliminated two tests (and corresponding variables), one of which was already commented out because it failed. They all failed now, so it means that part is not tested now, because it would probably need some refactoring which is outside the scope of this PR (famous last words...)
• Since the reviewer requested to add package-lock.json, I did... together with its disabling from .gitignore
• har-validator has been eliminated, since it was deprecated, and no wonder no one had noticed, since it wasn't used anyway.
• nyc upgraded to take care of the deprecation notice for non-monorepoid istanbul.

[JJ]

Ping?

[macGYves]

Since I'm not a maintainer of this project, I am actually glad that my approval was not sufficient to get this PR merged.
It would be good to get the vulnerability fixed soon.

[EtienneBruines]

@flotwig Could you look into merging this PR to mitigate the security vulnerability?

[sddtc]

Please merge it ASAP 🙏

[flotwig]

Please update the package-lock.json.

Could you look into merging this PR to mitigate the security vulnerability?

It would be good to get the vulnerability fixed soon.

Also, note that this is not a vulnerability in Cypress. We do not use options.httpSignature, nor is there any way for a third party to exploit it. Automated vulnerability scanners like Snyk are a great way to waste time and tick checkboxes.

[JJ]

Please update the package-lock.json.

Could you look into merging this PR to mitigate the security vulnerability?

It would be good to get the vulnerability fixed soon.

Also, note that this is not a vulnerability in Cypress. We do not use options.httpSignature, nor is there any way for a third party to exploit it. Automated vulnerability scanners like Snyk are a great way to waste time and tick checkboxes.

Consider it general upgrading and maintenance. npm i reveals this:

npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'karma-cli@1.0.1',
npm WARN EBADENGINE   required: { node: '0.10 || 0.12 || 4 || 5 || 6' },
npm WARN EBADENGINE   current: { node: 'v16.2.0', npm: '7.19.1' }
npm WARN EBADENGINE }
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated sprintf@0.1.5: The sprintf package is deprecated in favor of sprintf-js.
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated circular-json@0.5.9: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated circular-json@0.3.3: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated phantomjs-prebuilt@2.1.16: this package is now deprecated
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated codecov@3.8.3: https://about.codecov.io/blog/codecov-uploader-deprecation-plan/
npm WARN deprecated istanbul@0.4.5: This module is no longer maintained, try this instead:
npm WARN deprecated   npm i nyc
npm WARN deprecated Visit https://istanbul.js.org/integrations for other alternatives.
npm WARN deprecated core-js@2.6.12: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.

I'll try to address some of them in this PR.

[JJ]

Please update the package-lock.json.

Hey, that's not even in the repo... It's even added to the .gitignore. I can add it if you want...

[flotwig]

Lol my bad, I had it locally, but it's not in the repo.

[JJ]

Lol my bad, I had it locally, but it's not in the repo.

No problem I was really surprised that I kept adding and eliminating stuff and it didn't show up in the git status. There's probably a good reason for that hidden in the original code... But I guess that nowadays it's better if we keep it in the repo. And a good thing to generate that too, since that revealed a series of errors that I tried to address in #13 (superseded now, I'll close it).

[GrahamCampbell]

The package-lock.json file should not be committed.

[flotwig]

The package-lock.json file should not be committed.

Direct contradiction with the NPM docs:

https://github.com/npm/cli/blob/latest/docs/content/configuring-npm/package-lock-json.md#description

This file is intended to be committed into source repositories

[JJ]

The package-lock.json file should not be committed.

Direct contradiction with the NPM docs:

https://github.com/npm/cli/blob/latest/docs/content/configuring-npm/package-lock-json.md#description

This file is intended to be committed into source repositories

🍿

[JJ]

Look, I don't want to go one way or the other. I'm just saying the change to .gitignore was introduced 4 years ago here ffdf0d3 The commit message does not seem to point to an issue or anything like that, so my POV is that in absence of clear repo-wide directives, the general directive that @flotwig mentions applies.

[JJ]

OTOH,

git log --full-history -- package-lock.json

Seems to indicate it's never actually been there, so there's that.

[flotwig]

🎉 This PR is included in version 2.88.8 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[erwanriou]

we might want to keep this for now

[JJ]

It's deprecated, and it wasn't actually tested, which is why this didn't show up in a simple test.