fix(security): update vulnerable packages, include React 17 in peerDeps

[hoobdeebla]

This PR aims to reduce the amount of warnings users see from their package manager on first install.

1. Updates React peerDependency of Gatsby and plugins to include React 17
2. Updates the following packages to remove vulnerabilities and peerDependency warnings: axios, babel-plugin-add-module-exports, contentful-management, debug, documentation, gatsby-plugin-webfonts, hicat, lodash-webpack-plugin, node-fetch, probe-image-size, rewire, subfont, verdaccio, webpack-dev-server, yargs, yurnalist. Major changes are as follows:

Package	Change	Breaking Changes
babel-plugin-add-module-exports	^0.3.3 -> ^1.0.4	actually work with Babel 7 (does not affect usage here)
contentful-management	^5.26.3 -> ^7.5.1	none that affect usage in gatsby-recipes
documentation	^12.3.0 -> ^13.1.0	require Node 10
hicat	^0.7.0 -> ^0.8.0	none (I made the changes myself)
node-fetch	^1.7.3 -> ^2.6.1	none that affect usage in gatsby-source-graphql
probe-image-size	^5.0.0 -> ^6.0.0	require Node 10, switch from request to needle - none that affect usage in gatsby packages
rewire	^4.0.1 -> ^5.0.0	require Node 8 (does not affect usage in gatsby-plugin-offline)
subfont	^4.2.2 -> ^5.2.5	require Node 10 (does not affect usage in gatsby-plugin-subfont)
yargs	^10.1.2 -> ^15.4.1	none that affect usage at the root of the monorepo
yurnalist	^1.1.2 -> ^2.1.0	improve silent mode, update dependencies - none that affect usage in gatsby-cli

Fixes #28781
Fixes #28858

[hoobdeebla]

No idea why the bootstrap run keeps failing 🤔 everything bootstraps locally. Even the Windows run (which includes its own bootstrap step) is passing on CI.

Each run fails on the gatsby-plugin-image build step. Here is the output from the most recent run:

lerna ERR! yarn run prepare stderr:
(node:6686) ExperimentalWarning: The fs.promises API is experimental
(node:6722) ExperimentalWarning: The fs.promises API is experimental
(node:6708) ExperimentalWarning: The fs.promises API is experimental
(node:6707) ExperimentalWarning: The fs.promises API is experimental
(node:6730) ExperimentalWarning: The fs.promises API is experimental
internal/child_process.js:358
    throw errnoException(err, 'spawn');
    ^

Error: spawn ENOMEM
    at ChildProcess.spawn (internal/child_process.js:358:11)
    at spawn (child_process.js:533:9)
    at Object.fork (child_process.js:108:10)
    at ChildProcessWorker.initialize (/home/circleci/project/node_modules/jest-worker/build/workers/ChildProcessWorker.js:137:44)
    at ChildProcessWorker.onExit (/home/circleci/project/node_modules/jest-worker/build/workers/ChildProcessWorker.js:263:12)
    at ChildProcess.emit (events.js:182:13)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:240:12)
error Command failed with exit code 1.
ERROR: "build:browser" exited with 1.
error Command failed with exit code 1.
error Command failed with exit code 1.

lerna ERR! yarn run prepare exited 1 in 'gatsby-plugin-image'

The two errors it generates are: 1) fs.promises is an experimental API; 2) there is a memory leak somewhere during the microbundle build. Neither of these errors occur when I bootstrap locally on Node 10.13.0 or 12.20.0. Whether the first, the second, or both errors throw on each CI run seems to be random.

[hoobdeebla]

Updated the PR to include an upstream security fix for hicat and a yarn.lock security patch for ini.

I am still receiving the aforementioned errors on CircleCI but not locally. Also, it seems like ALL current PRs are erroring on windows_unit_tests runs because of a connection problem. I would appreciate if a team member could look into these issues.

[hoobdeebla]

Still getting the bootstrap errors about every 9 out of 10 CI runs (but never locally). Occasionally it passes without erroring, but then it doesn't pass some e2e tests, which I have been unable to run because I develop in WSL.

[hoobdeebla]

I guess the issue was because I removed react and react-dom from the peerDeps of gatsby-plugin-image. Again, I only saw this issue on CI and never had a build fail locally with either of the two errors CircleCI gave.

[LekoArts]

Can you please revert Removes React peerDependency from Gatsby dependents since it will be met by Gatsby itself as those are necessary for module resolutions? Thanks!