npm install reports 7 high severity vulnerabilities

[cpettitt-confluent]

The CONTRIBUTING.md guide recommends running npm install from the root of the KSQL repo to install commitlint. This command reports several high severity vulnerabilities in dependencies, as shown below:

% npm install

> husky@2.5.0 install /Users/xxx/projects/ksql/node_modules/husky
> node husky install

husky > Setting up git hooks
husky > Done
husky > Like husky? You can support the project on Open Collective:
husky > https://www.opencollective.com/husky 🐕

> core-js@2.6.9 postinstall /Users/xxx/projects/ksql/node_modules/core-js
> node scripts/postinstall || echo "ignore"

Thank you for using core-js ( https://github.com/zloirock/core-js ) for polyfilling JavaScript standard library!

The project needs your help! Please consider supporting of core-js on Open Collective or Patreon: 
> https://opencollective.com/core-js 
> https://www.patreon.com/zloirock 

Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -)

npm WARN ksql No repository field.
npm WARN ksql No license field.

added 176 packages from 71 contributors and audited 453 packages in 3.293s
found 7 high severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

[apurvam]

This seems like a general problem with NPM right? Do you know of things we can do to address this @cpettitt-confluent ?

[cpettitt-confluent]

I can take a look. The immediate solution would be to pin to safer versions (particularly of lodash, IIRC).

But generally, npm is a risk and it doesn't seem to be buying us a lot. It also flagged a valid commit message "feat: Add SHOW TOPICS EXTENDED" because I used uppercase words. It might be better to just pull this recommendation from CONTRIBUTING or provide a custom tool written in Java or python if we see value here. It's not actually used to validate commits because I was able to commit with the message above.