feat: add npmaudit and semgrep in github workflows. Fix dependabot on merge package

[dlpzx]

Feature or Bugfix

• Feature
• Bugfix

Detail

• add npm-audit github workflow on PR
• add semgrep worflow on PR and on schedule
• ignore semgrep issues with explanation. Those to be fixed will be fixed in Fix incomplete-sanitization findings with regex #739 and Replace shell=true commands in subprocess function #738
• remove make security checks that uses safety library and rename it as linting
• upgrade all pacakges, add package-lock and pin merge to version 2.1.1

Relates

Security

Please answer the questions below briefly where applicable, or write N/A. Based on
OWASP 10.

• Does this PR introduce or modify any input fields or queries - this includes
  fetching data from storage outside the application (e.g. a database, an S3 bucket)?
  • Is the input sanitized?
  • What precautions are you taking before deserializing the data you consume?
  • Is injection prevented by parametrizing queries?
  • Have you ensured no eval or similar functions are used?
• Does this PR introduce any functionality or component that requires authorization?
  • How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  • Are you logging failed auth attempts?
• Are you using or adding any cryptographic features?
  • Do you use a standard proven implementations?
  • Are the used keys controlled by the customer? Where are they stored?
• Are you introducing any new policies/roles/users?
  • Have you used the least-privilege principle? How?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[maryamkhidir]

I thought we wanted to remove this from package.json after generating the integrity sha-id in yarn.lock

[dlpzx]

I prefer to leave it to ensure that if we generate another yarn.lock it forces the non-vulnerable version of the package.

[dlpzx]

Tested in AWS.