get rid of npm-shrinkwrap

[matteofigus]

So, I am creating an issue to track this.

why the shrinkwrap?

To be clear, the reason we have the shrinkwrap atm is to override some subdependencies on the jade module that are unsecure (old versions of uglify-js). This is bad because every module change needs a rework on the npm-shrinkwrap, and to limit bad scenarios and quick PR reviews we need to make surgical changes to that file in that regard.

future plan

get rid of it when #298 will be complete.

in the meanwhile

when working on a dependency,

• use npm 2 by sudo npm i npm@2
• run npm install <module> --save
• diff the npm-shrinkwrap file and rework it manually in order to avoid any changes to other modules, only the ones about the module added or upgraded
• check in the change in the PR

[matteofigus]

Update: I found this awesome module: https://github.com/jnordberg/jade-legacy which is jade + security patches, all green on snyk: https://snyk.io/test/github/jnordberg/jade-legacy

Perhaps by switching jade=>jade-legacy we can safely remove the shrinkwrap as the security patches wouldn't be problematic anymore. /cc @nickbalestra