[meta] package.json - Update Jest & jscodeshift

[lb-]

• Resolves multiple npm audit issues - 11 vulnerabilities (9 moderate, 2 high)
• Manually ran tests locally while updating each version of babel-jest progressively and no issues found
• Ran the npm run create commands as documented after jscodeshift update and no issues found

After this update, as of today, there are now 0 vulnerabilities.

These are only development dependencies, nonetheless it's better to try to update these where possible as they still run on contributor machines.

Full audit report as per main branch at 4925ba8

➜ npm audit
# npm audit report

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@jest/transform/node_modules/braces
node_modules/jest-haste-map/node_modules/braces
node_modules/jest-message-util/node_modules/braces
node_modules/jscodeshift/node_modules/braces
node_modules/sane/node_modules/braces
  micromatch  <=4.0.7
  Depends on vulnerable versions of braces
  node_modules/@jest/transform/node_modules/micromatch
  node_modules/jest-haste-map/node_modules/micromatch
  node_modules/jest-message-util/node_modules/micromatch
  node_modules/jscodeshift/node_modules/micromatch
  node_modules/sane/node_modules/micromatch
    @jest/transform  <=24.9.0
    Depends on vulnerable versions of jest-haste-map
    Depends on vulnerable versions of jest-util
    Depends on vulnerable versions of micromatch
    node_modules/@jest/transform
      babel-jest  24.2.0-alpha.0 - 24.9.0
      Depends on vulnerable versions of @jest/transform
      node_modules/babel-jest
    anymatch  1.2.0 - 2.0.0
    Depends on vulnerable versions of micromatch
    node_modules/jest-haste-map/node_modules/anymatch
    node_modules/sane/node_modules/anymatch
      jest-haste-map  18.1.0 - 26.6.2
      Depends on vulnerable versions of anymatch
      Depends on vulnerable versions of jest-util
      Depends on vulnerable versions of micromatch
      Depends on vulnerable versions of sane
      node_modules/jest-haste-map
      sane  1.5.0 - 4.1.0
      Depends on vulnerable versions of anymatch
      Depends on vulnerable versions of micromatch
      node_modules/sane
    jest-message-util  18.5.0-alpha.7da3df39 - 24.9.0
    Depends on vulnerable versions of micromatch
    node_modules/jest-message-util
      @jest/fake-timers  <=24.9.0
      Depends on vulnerable versions of jest-message-util
      node_modules/@jest/fake-timers
        jest-util  24.2.0-alpha.0 - 24.9.0
        Depends on vulnerable versions of @jest/fake-timers
        node_modules/jest-util
    jscodeshift  0.3.20 - 0.13.1
    Depends on vulnerable versions of micromatch
    node_modules/jscodeshift


11 vulnerabilities (9 moderate, 2 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/[email protected]	Transitive: environment, filesystem, shell, unsafe	+164	23.8 MB	daniel15

🚮 Removed packages: npm/[email protected]

View full report↗︎

[ljharb]

Most audit warnings are false positives; having zero is nice but not a goal to optimize for.

That said, what are the breaking changes in jscodeshift? Tests don’t exercise it - it’s used to generate scaffolding for a new rule.

[lb-]

Thanks @ljharb

I have confirmed I can run the two following scripts before and after the jscodeshift update without triggering any diffs in my local changes.

npm run create -- rule-name --author="Your name" --description="Description of rule"
npm run create -- no-marquee --author="Ethan Cohen <@evcohen>" --description="Enforce <marquee> elements are not used."

Example screenshot of files added

[lb-]

Thanks @ljharb