9 vulnerabilities found in typescript-migration branch, including one breaking change

[Jimmy-Vu]

Issue Description

I encountered this issue while working on my child branch of the typescript-migration branch for issue #493. After uninstalling the danger package using the command npm uninstall --save-dev danger, I encountered 9 vulnerabilities related to other packages in the project. These vulnerabilities include inefficient regular expression complexity, a redirect vulnerability, and prototype pollution. Additionally, one of the vulnerabilities requires a breaking change to fix.

My Steps/Steps to Reproduce

1. Checkout a new branch off of the typescript-migration branch
2. Uninstall the danger package by running the command npm uninstall --save-dev danger
3. Run the command npm audit to check for any vulnerabilities
4. The audit should report 9 vulnerabilities, including one breaking change.

Expected Behavior

I expected the danger package to be uninstalled without any issues.

Actual Behavior

Upon attempting to uninstall the package, npm reported 9 vulnerabilities related to other packages in the project.

Vulnerabilities Reported

• ansi-regex
• got
• hosted-git-info
• ini
• minimatch
• minimist

Severity

• 5 moderate
• 3 high
• 1 critical

Breaking Change

The vulnerability related to the got package requires a breaking change to fix. Specifically, the fix would install update-notifier@6.0.2, which which npm declares as a breaking change.

Additional Context

My forked repo is up-to-date with the original repo and my local typescript-migration branch is up-to-date with my the remote forked repo.

NPM Audit Message

# npm audit report

ansi-regex  3.0.0 || 4.0.0 - 4.1.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/ansi-regex
node_modules/strip-ansi/node_modules/ansi-regex

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install update-notifier@6.0.2, which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier

hosted-git-info  <2.8.9
Severity: moderate
Regular Expression Denial of Service in hosted-git-info - https://github.com/advisories/GHSA-43f8-2h32-f4cj
fix available via `npm audit fix`
node_modules/hosted-git-info

ini  <1.3.6
Severity: high
ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse - https://github.com/advisories/GHSA-qqgx-2p2h-9c37
fix available via `npm audit fix`
node_modules/ini

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/minimatch

minimist  <=1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix`
node_modules/minimist

9 vulnerabilities (5 moderate, 3 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[jwu910]

I think this is handled @Jimmy-Vu Think we're looking at a minimum node version bump from 10 to 14 though

[jwu910]

Ended up bumping to 16, we're down to just some old deps around commitizen from child deps, i think we're gonna be okay for now thanks @Jimmy-Vu see #534