chore(dependencies): loosen constraints on dependency checker

[rusackas]

SUMMARY

Right now, the dependency checker action blocks PRs if they introduce a package with a "high" severity CVE. This is becoming counterproductive in several PRs, particularly as we mess around with cleaning up packages. For example, you might fix one or more critical issues by upgrading to packages that include a high issue in their dependency tree. Let's just block on critical for now, and tigthen the screws after 4.0, perhaps.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (d34874c) 69.48% compared to head (1694ec9) 69.48%.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #26708   +/-   ##
=======================================
  Coverage   69.48%   69.48%           
=======================================
  Files        1894     1894           
  Lines       74138    74138           
  Branches     8243     8243           
=======================================
  Hits        51514    51514           
  Misses      20555    20555           
  Partials     2069     2069           

Flag	Coverage Δ
hive	53.85% <ø> (ø)
javascript	56.86% <ø> (ø)
mysql	78.02% <ø> (ø)
postgres	78.13% <ø> (ø)
presto	53.80% <ø> (ø)
python	83.01% <ø> (ø)
sqlite	77.71% <ø> (ø)
unit	56.38% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mistercrunch]

Is there any way to make it warn on high but not block. I mean in theory it's good to know if there's a known issue with a new package being brought in, but clearly it misses the mark as vulnerabilities are often discovered after the package is introduced.

[rusackas]

No, the action either blocks or it doesn't.... there's no warning system (or at least not one people will pay attention to). The moderate/high/critical warnings people are mostly likely to see are the ones that show up when they do npm install -where you'll currently see 14 critical warnings. In some cases, it's impossible to fix the critical vulnerabilities without introducing high vulnerabilities, thus the need to (temporarily) lower this threshold.