Fix: Upgrade Cheerio to patch security vulnerability

[Tyharo1]

Upgraded cheerio to latest to resolve ReDos security vulnerability introduced by nth-check@1.0.2.

Vulnerability details can be found here
The dependency chain that introduced this issue is as follows: ember-svg-jar@2.3.4 > cheerio@0.22.0 > css-select@1.2.0 > nth-check@1.0.2

The latest version Cheerio no longer requires css-select.

Note: I ran yarn-deduplicate (package) to clean up the yarn lock file since the project is running yarn v1, this is why there are a few more changes in the yarn-lock files than normal.

[Tyharo1]

@jherdman It appears you're most active on this repo. If you have some time for a review it would be greatly appreciated! If you have any questions feel free to ask away 😃

[jherdman]

Don't take this the wrong way, but I'm kind of hoping this fails 😆 . I tried to upgrade this dependency in the past and ran into a pile of headaches. Worse yet, I can't seem to find an alternative package that covers our needs.

Fingers crossed this works and I was just too boneheaded to make it work!

[Tyharo1]

Is there an easy way to rerun a job? Kinda odd the windows-latest had a timeout, want to ensure its not just a one off network issue.

[jherdman]

Yeah, you have a few options:

1. You can push up an empty commit
2. Amend your commit and force push

The failure with broc-svg-optimizer is legit though. I had attempted to remove a bunch of these tests in #221 because I don't feel it's our job to smoke test SVGO for breaking changes. I didn't chase down why this wasn't working.

[jherdman]

Oops! Thought of a third option. Re-running.

[Tyharo1]

Oops! Thought of a third option. Re-running.

I must not have permission to see the re-run button. No worries though, I'll work around it. I thought the broc-svg-optimizer failure was legit but just thought the timeout was odd haha.

[Tyharo1]

@jherdman sorry to bother you again but any chance you would know why the CI tasks didn't kick off after my last commit amend? Trying to see if maybe the yarn-deduplicate maybe causing the dependency install timeout. I rolled back to the main branch and just upgraded cheerio, nothing else.

[jherdman]

I have to approve and run the workflows. I'll kick it off now. Don't be shy about pinging me on this matter. ❤️

[Tyharo1]

@jherdman Looks like the broccoli and embroider-optimized tests are currently failing today in the main branch. It looks like the ember-cli-fastboot upgrade resolved some currently failing CI tests though! I was using your latest merge as here as a reference for "normal" test failures.

[jherdman]

I'll give this a whirl tomorrow to smoke test. I think I'm okay with the fails as is. We can sort those out later.

[jherdman]

I'm happy to bless and merge this PR. Many thanks @Tyharo1 for your work! ❤️

[Tyharo1]

@jherdman Thanks for the help getting this tested and reviewed! 🥇