Run npm audit and upgrade identified vulnerable deps

[hunterlester]

yarn team is working on it's own command but it's not ready yet:
yarnpkg/yarn#5808

• Requires package-lock.json and npm@6.
• Remove node_modules directories and then run npm i to produce package-lock.json.
• Run npm audit and then npm audit fix to upgrade vulnerable dependencies.
• package.json will have been automatically updated.
• Remove package-lock.json
• Run yarn to produce an updated yarn.lock to commit to repo.

[hunterlester]

This task is more involved than appears:

• In order to be able to create package-lock.json, spectron needs to be installed with npm i spectron --save-dev, which will upgrade spectron's major version. This breaks several tests, requiring a separate task to fix all the tasks when this task is concerned with finding and upgrading vulnerable dependencies.

[hunterlester]

Proposal to close this task.
There are two possibly significant vulnerabilities identified, which should be resolved when we upgrade the electron version:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Insufficient Entropy                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ cryptiles                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.3 <4.0.0 || >=4.1.2                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ electron                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ electron > electron-download > nugget > request > hawk >     │
│               │ cryptiles                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/720                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Insufficient Entropy                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ cryptiles                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.3 <4.0.0 || >=4.1.2                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ asar                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ asar > mksnapshot > request > hawk > cryptiles               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/720                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[joshuef]

Okay, let's mark this as blocked until the electron version is updated (and with that, we'd need to update spectron also, I suspect)