Add npm audit to CI

[BCerki]

No description provided.

[wenzowski]

There are a few known issues with npm audit.

• No way to ignore advisories
• Unable to filter out low severity issues
• Ongoing network issues with NPM registry can cause false positives
• Noise from dev dependencies

Popular alternatives include:

• better-npm-audit
• improved-yarn-audit

I'd also recommend reviewing the Security tab and consider splitting off a new issue to configure CodeQL.

[wenzowski]

This looks like the continuation of #11

[BCerki]

There are a few known issues with npm audit.

• No way to ignore advisories
• Unable to filter out low severity issues
• Ongoing network issues with NPM registry can cause false positives
• Noise from dev dependencies

Popular alternatives include:

• better-npm-audit
• improved-yarn-audit

I'd also recommend reviewing the Security tab and consider splitting off a new issue to configure CodeQL.

@wenzowski, general question: when you make a comment like this (there are other tools than the one I'm using that might be better), how does that translate to a to-do? Use npm audit but be aware there are limitations and consider something else next time? Research the popular alternatives and implement the one I think is best (or have a team discussion about what one is best and then implement that)?

[wenzowski]

I'd lean to decompose wherever possible. If there's an opportunity to achieve implementation npm audit --audit-level=moderate guardrail in an efficient manner, I'd ship that first before looking at additional dependencies. If, however, the builtin npm audit appears to be difficult to bring to passing state due to the frictions noted here I'd comment to that effect, close the npm audit PR without merging (leaving a reference here) and try one of the alternate tools (above) directly.

[BCerki]

This is linked to https://github.com/button-inc/digital_marketplace/issues/6--these updates will probably fix a lot of the issues

[BCerki]

Will switch to yarn so find a different audit