Bump ssri dependency to 8.0.1 in 3.x

[trivikr]

Expected Behavior

When lerna@3.x is used, it's dependencies used should not be linked in a CVE.

Current Behavior

The lerna@3.x uses vulnerable version of ssri@6.0.1 mentioned in CVE GHSA-vx3p-948g-6vhq

Possible Solution

Bump ssri to ^8.0.0 in 3.x release line similar to 41729b4 in 4.x

Steps to Reproduce (for bugs)

Create a project which uses lerna@3.x

lerna.json

N/A

Context

I'm trying to remove dependabot alerts in my project which consumes lerna@3.x

Your Environment

Executable	Version
lerna --version	3.22.1
npm --version	7.5.3
yarn --version	1.22.10
node --version	v14.15.4

OS	Version
macOS Catalina	10.15.7

[JamesHenry]

Hi @trivikr 👋

You may or may not know that lerna is now under the stewardship of Nrwl (announcement here #3121), a company with a long history of not just producing valuable open-source software (OSS), but also backing others (at the time of writing, Nrwl has donated over $50,000 to OSS it hasn't created, see https://opencollective.com/nx for full details).

Quite simply, Nrwl ❤️ OSS, and is committed to making lerna the best it can be. We use it ourselves.

We hope you will continue to be a part of this community as we look to take things forward from here!

Please see #3140 for more details on our plans for 2022.

In the case of this specific issue, we already addressed the outdated dependencies mentioned here as part of our v5 release of lerna.

If you run into any issues on the latest version of lerna, please feel free to open a new issue and follow the instructions:
https://github.com/lerna/lerna/issues/new/choose

Many thanks 🙏