deps(node): update to the latest version of dependencies

[schalkneethling]

When doing a fresh install of Kuma I ran into a bunch of security warnings and deprecations. node-sass also fails to install. I had a quick look at the version we have in package.json and realised they are way out of date.

I updated all dev dependencies to the latest stable, and locked down the versions using --save-exact

[escattone]

Sorry for the delay @schalkneethling! I got a warning when I did an npm install within the Kuma container. It complains that gulp-stylelint@7.0.0 requires a "peer" of stylelint@^9.0.0. Do you see that as well?

$ docker-compose exec --user root web bash
root@edb01abf18dc:/app# npm install
npm WARN gulp-stylelint@7.0.0 requires a peer of stylelint@^9.0.0 but none was installed.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.3 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.3: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

It made me want to upgrade our global installs of fibers, csslint, jshint, node-sass, uglify-js, clean-css, and stylelint within the Kuma container, as well as the version of node (which is at 6.12). However, when I tried going down that path, the first thing I hit was an error that seems to be an issue with npm (npm/npm#16766), so I backed-off for now.

[schalkneethling]

It complains that gulp-stylelint@7.0.0 requires a "peer" of stylelint@^9.0.0. Do you see that as well?

@escattone Nope, not seeing that myself but, I am not installing it inside the docker container directly. I run npm i on my local machine. Perhaps that is what is causing the difference?

npm WARN gulp-stylelint@7.0.0 requires a peer of stylelint@^9.0.0 but none was installed.

This is interesting. I would have thought that gulp-stylelint would require stylelint as a dependancy and install it that way. Perhaps it has been decoupled and you need to explicitly add it as a dependency now. Again, not something I encountered but, it does seem problematic.

Let me also run this via the container and see if I run into the same problems. Thanks!

[jwhitlock]

My preference would be to split this up into a few PRs:

1. Update node to 8.x in the docker image, with no dependency version changes if possible.
2. Update yarn in the docker image We aren't using yarn in docker or on the host, so instead remove yarn.
3. Update the libraries in the docker image to the desired versions.
4. Update package.json (this PR).

In the long run, I'm interested in splitting between a builder image and a runtime image - node.js isn't needed to run Kuma, just to build assets for production. But I think that will be even more work than this slow 4-step plan.

[schalkneethling]

Sounds good to me @jwhitlock. With some these packages we are waaaay out of date and should really upgrade, and also find a way to make upgrading be more frictionless. At the moment you can have a newer version of Nodejs and NPM locally and use npx with the node package to overcome installation problems locally.

Basically you do:

npx -p node@6 npm i and then npx -p node@6 gulp - We should probably add this to contribution docs somewhere until the other parts have landed. Thoughts?

[jwhitlock]

Thanks, I wasn't aware of npx.

Our deployment pipeline requires that the tools we use to build assets run in docker. We are still recommending that front-end developers install the tools locally for speed and efficiency, such as in the install docs and the development docs. This was done because of performance issues with gulp in a docker environment, and we didn't have the bandwidth or the Docker experience to come up with a solution. The dual development methods are part of the reason that front-end tools are behind while Python tools are updated often.

I think we'll be able to tackle this in the coming months, using some strategies that the bedrock team have implemented.

[jwhitlock]

These changes, or ones like them, were merged as 9ca5ddc in PR #4852