High vulnerability in `download` dependency

[markwylde]

When installing caxa, it introduces a high vulnerability from the download dependency.

$ npm i
npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

> caxa@2.0.0 postinstall
> node postinstall.js


> caxa@2.0.0 prepare
> tsc


added 695 packages, and audited 696 packages in 8s

30 packages are looking for funding
  run `npm fund` for details

7 vulnerabilities (2 moderate, 5 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

An issue has been raised in the official repo:
kevva/download#216

[leafac]

caxa@2.1 is out and the stubs are shipped in the npm package—the download package is not longer used. Please let me know how it works for you.