Update npm packages based on the Dependabot alert

[Adnan-cds]

The weekly Dependabot alerts have been patiently pointing out the npm packages that have security updates available. We are not using these packages in the backend. So as discussed in Standup already, these vulnerabilities are less severe for us. But should be actioned at some point just in case.

@cjstevens78 @finnlewis @paulpopus @willguv

[paulpopus]

I don't have "admin" or the right permissions on this repo like I do on the docs repo, so I can't see the alerts. Usually I'm on top of them. Happy to take a look if you or someone else can give me the perms, the bot usually opens a PR for you! @Adnan-cds

[Adnan-cds]

Usually I'm on top of them. Happy to take a look if you or someone else can give me the perms

Ah... I always thought you have write access to this repo. Done now. @paulpopus

[paulpopus]

@Adnan-cds I still don't see the dependabot alerts under the Security tab like I do in the docs repo. Unless I'm not meant to?

[Adnan-cds]

Unless I'm not meant to?

You are right. Just having write access doesn't activate the Dependabot alerts. I have had to explicitly add you to the list of people and teams who will get these alerts. Chris and Dan should receive it too. @cjstevens78 @danchamp @paulpopus

[paulpopus]

Thanks I'll get on them!

[Adnan-cds]

Thanks Paul :) Please do assign this issue to yourself when you are ready. @paulpopus

[paulpopus]

Hi @Adnan-cds
So I've solved some of the security issues, some outstanding things.
PR for you or someone to review, I've removed gulp-notify gulp-plumber and gulp-version-append because they were unused modules, some which now used deprecated dependencies and removed them from the Gulpfile (their functionality was not used). I need this reviewed, issues may still be outstanding but it will make them easier to resolve.

For this issue I want to Dismiss it as "Vulnerable code is not used" because we don't run Node.js apps and in the Mocha tests we're using the correct child_process.execSync function.

[Adnan-cds]

I want to Dismiss it as "Vulnerable code is not used"

That'll do. Thanks :)

[Adnan-cds]

Let's wait for next weeks Dependabot report before closing this ticket.

[paulpopus]

I think it's good to close now, I'll get on any alerts if they come up.