update minimist to handle security vulnerability

[elvece]

Resolves issue 113

[elvece]

@dominictarr approved and ready to merge

[Naktibalda]

There is something weird going on with rc dependencies.
This change is not necessary because according to semantic versioning ^1.2.0 allows installation of any version greater or equal to 1.2.0 and lower than 2.0.

In my project I have rc@1.2.8 using minimist@1.2.5 in one place and minimist@1.2.0 in another:

$ npm ls minimist
@project-name@0.0.1
├─┬ grpc@1.24.2
│ └─┬ node-pre-gyp@0.14.0
│   ├─┬ mkdirp@0.5.1
│   │ └── minimist@0.0.8
│   └─┬ rc@1.2.8
│     └── minimist@1.2.0
├─┬ grpc-tools@1.8.1
│ └─┬ node-pre-gyp@0.12.0
│   ├─┬ mkdirp@0.5.1
│   │ └── minimist@0.0.8
│   └─┬ rc@1.2.8
│     └── minimist@1.2.0
├─┬ grpc_tools_node_protoc_ts@2.5.10
│ └─┬ handlebars@4.5.3
│   └─┬ optimist@0.6.1
│     └── minimist@0.0.10
├─┬ mocha@7.1.1
│ └─┬ mkdirp@0.5.3
│   └── minimist@1.2.5
└─┬ nodemon@2.0.2
  └─┬ update-notifier@2.5.0
    └─┬ latest-version@3.1.0
      └─┬ package-json@4.0.1
        └─┬ registry-auth-token@3.4.0
          └─┬ rc@1.2.8
            └── minimist@1.2.5

A common pattern is that minimist@1.2.0 is used whenrc@1.2.8 is required by node-pre-gyp, but registry-auth-token allows rc@1.2.8 to use minimist@1.2.5.

Running npm update minimist --depth=4 updates minimist in dependencies of rc, but then npm starts complaining about.

$ npm update minimist --depth=4
+ minimist@1.2.5
updated 1 package in 0.3s
+ minimist@1.2.5
updated 1 package in 0.515s
$ npm ls minimist
@project-name@0.0.9 /
├─┬ grpc@1.24.2
│ └─┬ node-pre-gyp@0.14.0
│   ├─┬ mkdirp@0.5.1
│   │ └── minimist@0.0.8
│   └─┬ rc@1.2.8
│     └── UNMET DEPENDENCY minimist@1.2.0
├─┬ grpc-tools@1.8.1
│ └─┬ node-pre-gyp@0.12.0
│   ├─┬ mkdirp@0.5.1
│   │ └── minimist@0.0.8
│   └─┬ rc@1.2.8
│     └── UNMET DEPENDENCY minimist@1.2.0
├─┬ grpc_tools_node_protoc_ts@2.5.10
│ └─┬ handlebars@4.5.3
│   └─┬ optimist@0.6.1
│     └── minimist@0.0.10
├─┬ mocha@7.1.1
│ └─┬ mkdirp@0.5.3
│   └── minimist@1.2.5
└─┬ nodemon@2.0.2
  └─┬ update-notifier@2.5.0
    └─┬ latest-version@3.1.0
      └─┬ package-json@4.0.1
        └─┬ registry-auth-token@3.4.0
          └─┬ rc@1.2.8
            └── minimist@1.2.5

npm ERR! missing: minimist@1.2.0, required by rc@1.2.8
npm ERR! missing: minimist@1.2.0, required by rc@1.2.8

[dominictarr]

Ah yeah, npm could be more deterministic. I switched to yarn.
as rc will correctly resolve the latest, secure, version of minimist, I don't think it needs to change.
It must either be a) some other modules want old versions or b) npm is confused. or both!

[jayaddison]

For anyone else reading this: it looks like some of the difficulties identifying the source of the minimist audit reports are due to use of NPM bundledDependencies.

For example grpc-tools@1.8.1 bundles node-pre-gyp (and that bundle includes rc and therefore minimist).

fsevents@1.2.9 has this same configuration.

I think that means that the dependency that does the bundling will have to be updated in order for upstream projects to see a fix, since the downloaded copy of an existing, unfixed package containing bundles will continue to provide the dependencies regardless of semver rules.