chore: update dependencies

[nolanlawson]

Details

Our regularly-scheduled dependency bump. yarn audit is now at 0 vulnerabilities. 🎉

Does this PR introduce breaking changes?

• ✅ No, it does not introduce breaking changes.

[nolanlawson]

"//" is a safe and encouraged way to add comments to package.json.

I felt this was appropriate because otherwise it may be confusing for the next person why we're stuck on TypeScript v4.3.5.

This will be fixed in TypeScript 4.4.3: rollup/plugins#983 (comment)

[nolanlawson]

In order to upgrade estree-walker to v3 we would need to get rid of our CommonJS build output for @lwc/template-compiler. Rich-Harris/estree-walker#26

[nolanlawson]

All of these resolutions were added to fix security vulnerabilities. The only one we still need is micromatch, which can be fixed when we update rollup-plugin-compat's dependencies.

[ekashida]

Thanks for taking care of this

[pmdartus]

It should be fixed with: https://github.com/salesforce/es5-proxy-compat/commit/012991ede3f48fe7b651b07f0c41afe7012bfd2a.

As a side note, I don't see the point of using resolutions in this repo when it comes to NPM audit issues, except when it's a major security vulnerability (eg. eslint-scope). The resolutions property is only applied to this repository. It makes sense if we were shipping an application with tight dependency control, but in our case where we are shipping libraries.

[nolanlawson]

In this very particular case, it actually does work because es5-proxy-compat is a dev dependency that we bundle into @lwc/engine-core. but I agree; resolutions kind of rubs me the wrong way, unless it's for a really critical security vulnerability, and if it actually affects consumers.

I'll publish a new es5-proxy-compat so we can get rid of resolutions entirely.

[nolanlawson]

Updated all the deps and got rid of resolutions!

[ekashida]

Nit: I think I might be the only one still following this convention but used to only add the package name in the parenthesis. I believe it was because we had just started experimenting with hand-written release notes and wanted to keep the description in such a format that we could easily go back to generated release notes.

[nolanlawson]

OK, I can remove (package) since this applies to multiple packages.

[nolanlawson]

Looks like a true failure, will investigate...

[chrome 93.0.4577.63 Windows #0-49] Running: chrome (v93.0.4577.63) on Windows
[chrome 93.0.4577.63 Windows #0-49] Session ID: d664c4313b6d482f8f48bbcc541912b6
[chrome 93.0.4577.63 Windows #0-49]
[chrome 93.0.4577.63 Windows #0-49] » /src/components/events/test-clipboard-event-composed/clipboard-event-composed.spec.js
[chrome 93.0.4577.63 Windows #0-49] clipboard-event-composed polyfill
[chrome 93.0.4577.63 Windows #0-49]    ✖ "before all" hook for clipboard-event-composed polyfill
[chrome 93.0.4577.63 Windows #0-49]
[chrome 93.0.4577.63 Windows #0-49] 1 failing (176ms)
[chrome 93.0.4577.63 Windows #0-49]
[chrome 93.0.4577.63 Windows #0-49] 1) clipboard-event-composed polyfill "before all" hook for clipboard-event-composed polyfill
[chrome 93.0.4577.63 Windows #0-49] Cannot read property 'finally' of undefined
[chrome 93.0.4577.63 Windows #0-49] TypeError: Cannot read property 'finally' of undefined
[chrome 93.0.4577.63 Windows #0-49]     at Context.executeAsync (/home/circleci/lwc/node_modules/@wdio/utils/build/shim.js:293:42)
[chrome 93.0.4577.63 Windows #0-49]     at Context.testFrameworkFnWrapper (/home/circleci/lwc/node_modules/@wdio/utils/build/test-framework/testFnWrapper.js:45:32)

[nolanlawson]

Found what appears to be a bug in WebDriverIO: webdriverio/webdriverio#7405

We can work around it temporarily by using async functions in before() hooks though.