chore(npm lockfile update): update npm lockfile to v2

[camc314]

Lockfile v2 is backwards compatible with all v1 and v2 lockfiles. It contains more information that
would otherwise be included in node_modules. See
https://docs.npmjs.com/cli/v7/configuring-npm/package-lock-json#lockfileversion

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

[codecov]

Codecov Report

Merging #955 (939bc95) into master (8c5d4b8) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #955   +/-   ##
=======================================
  Coverage   65.02%   65.02%           
=======================================
  Files          24       24           
  Lines         852      852           
  Branches      157      157           
=======================================
  Hits          554      554           
  Misses        270      270           
  Partials       28       28           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8c5d4b8...939bc95. Read the comment docs.

[ferferga]

Have you tested this with npm ci in both npm@latest and npm 6.14.11 running the client (building alone doesn't make all the issues surface)? In my experience while migrating all the repos, npm 7 is far from ready to be used, it had a lot of trouble while resolving peer dependencies in web and expo.

I used first latest for my PR but it had issues with builds that combined install and ci with some packages (specifically with the websocket). I also saw some urls being converted to http instead of https in npm latest, even after clearing cache.

Even if backwards compatible, I would only switch to it once the version of npm that introduces it/support all the features is bundled with a Node LTS version, as we're sticking with LTS stuff everywhere, like in CI.

We've also been using the v1 lockfile version of yarn for quite some time without any plan to switch to v2, and that switch was even more important as yarn 1 is already in maintenance mode, that's why I don't see a reason why we should rush this now 😁.

[heyhippari]

Even if backwards compatible, I would only switch to it once the version of npm that introduces it/support all the features is bundled with a Node LTS version, as we're sticking with LTS stuff everywhere, like in CI.

I absolutely agree with this. We'll only migrate to the new format once Node and Node LTS support a version of NPM that uses it, even if backwards compatible.

People shouldn't have a newer npm installed anyway, unless they manually update, which isn't recommended.

[camc314]

The original reason was when using v7 it automatically recreates/updates the lock file version to v2.

But upon closer inspection, also fixes the following security issues:

NPM v6 does not identify these vulnerabilities.
I think this is because peer dependencies are installed by default.

(Produced by running npm audit)

Before (43 vulnerabilities (21 low, 2 moderate, 17 high, 3 critical))

acorn  5.5.0 - 5.7.3 || 6.0.0 - 6.4.0 || 7.0.0 - 7.1.0
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1488
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/acorn

axios  <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
No fix available
node_modules/axios
  @jellyfin/client-axios  *
  Depends on vulnerable versions of axios
  node_modules/@jellyfin/client-axios

braces  <2.3.1
Regular Expression Denial of Service - https://npmjs.com/advisories/786
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/braces
node_modules/vue-native-websocket/node_modules/expand-braces/node_modules/braces  
  expand-braces  *
  Depends on vulnerable versions of braces
  node_modules/vue-native-websocket/node_modules/expand-braces
    karma  <=5.0.7
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of expand-braces
    Depends on vulnerable versions of lodash
    Depends on vulnerable versions of optimist
    Depends on vulnerable versions of socket.io
    node_modules/vue-native-websocket/node_modules/karma
  micromatch  0.2.0 - 2.3.11
  Depends on vulnerable versions of braces
  node_modules/vue-native-websocket/node_modules/micromatch
    anymatch  1.2.0 - 1.3.2
    Depends on vulnerable versions of micromatch
    node_modules/vue-native-websocket/node_modules/anymatch
      chokidar  1.3.0 - 1.7.0
      Depends on vulnerable versions of anymatch
      node_modules/vue-native-websocket/node_modules/chokidar
        babel-cli  >=6.22.0
        Depends on vulnerable versions of chokidar
        node_modules/vue-native-websocket/node_modules/babel-cli

debug  <=2.6.8 || 3.0.0 - 3.0.1
Regular Expression Denial of Service - https://npmjs.com/advisories/534
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/engine.io-client/node_modules/debug
node_modules/vue-native-websocket/node_modules/engine.io/node_modules/debug       
node_modules/vue-native-websocket/node_modules/mocha/node_modules/debug
node_modules/vue-native-websocket/node_modules/socket.io-adapter/node_modules/debug
node_modules/vue-native-websocket/node_modules/socket.io-client/node_modules/debug
node_modules/vue-native-websocket/node_modules/socket.io-parser/node_modules/debug
node_modules/vue-native-websocket/node_modules/socket.io/node_modules/debug
  engine.io  <=3.1.3
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of ws
  node_modules/vue-native-websocket/node_modules/engine.io
  engine.io-client  <=3.1.3
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of parsejson
  Depends on vulnerable versions of ws
  node_modules/vue-native-websocket/node_modules/engine.io-client
  mocha  0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of diff
  Depends on vulnerable versions of growl
  Depends on vulnerable versions of mkdirp
  node_modules/vue-native-websocket/node_modules/mocha
  socket.io  <=2.3.0
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of socket.io-client
  node_modules/vue-native-websocket/node_modules/socket.io
    karma  <=5.0.7
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of expand-braces
    Depends on vulnerable versions of lodash
    Depends on vulnerable versions of optimist
    Depends on vulnerable versions of socket.io
    node_modules/vue-native-websocket/node_modules/karma
  socket.io-adapter  <=1.1.0
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of socket.io-parser
  node_modules/vue-native-websocket/node_modules/socket.io-adapter
  socket.io-client  1.0.0-pre - 2.0.1
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of socket.io-parser
  node_modules/vue-native-websocket/node_modules/socket.io-client
  socket.io-parser  1.1.0 - 3.0.0
  Depends on vulnerable versions of debug
  node_modules/vue-native-websocket/node_modules/socket.io-parser

diff  <3.5.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1631
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/diff
  mocha  0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of diff
  Depends on vulnerable versions of growl
  Depends on vulnerable versions of mkdirp
  node_modules/vue-native-websocket/node_modules/mocha

elliptic  <=6.5.3
Severity: high
Signature Malleability - https://npmjs.com/advisories/1547
Use of a Broken or Risky Cryptographic Algorithm - https://npmjs.com/advisories/1648
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/elliptic

growl  <1.10.2
Severity: critical
Command Injection - https://npmjs.com/advisories/146
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/growl
  mocha  0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of diff
  Depends on vulnerable versions of growl
  Depends on vulnerable versions of mkdirp
  node_modules/vue-native-websocket/node_modules/mocha

handlebars  <=4.7.3
Severity: critical
Prototype Pollution - https://npmjs.com/advisories/1164
Denial of Service - https://npmjs.com/advisories/1300
Arbitrary Code Execution - https://npmjs.com/advisories/1316
Arbitrary Code Execution - https://npmjs.com/advisories/1324
Prototype Pollution - https://npmjs.com/advisories/755
Depends on vulnerable versions of optimist
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/handlebars

http-proxy  <1.18.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1486
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/http-proxy

ini  <1.3.6
Prototype Pollution - https://npmjs.com/advisories/1589
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/fsevents/node_modules/ini

js-yaml  <=3.13.0
Severity: high
Denial of Service - https://npmjs.com/advisories/788
Code Injection - https://npmjs.com/advisories/813
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/js-yaml

kind-of  6.0.0 - 6.0.2
Validation Bypass - https://npmjs.com/advisories/1490
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/base/node_modules/kind-of
node_modules/vue-native-websocket/node_modules/define-property/node_modules/kind-of
node_modules/vue-native-websocket/node_modules/nanomatch/node_modules/kind-of
node_modules/vue-native-websocket/node_modules/randomatic/node_modules/kind-of
node_modules/vue-native-websocket/node_modules/snapdragon-node/node_modules/kind-of
node_modules/vue-native-websocket/node_modules/watchpack/node_modules/kind-of

lodash  <=4.17.18
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1065
Prototype Pollution - https://npmjs.com/advisories/1523
Prototype Pollution - https://npmjs.com/advisories/577
Prototype Pollution - https://npmjs.com/advisories/782
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/karma/node_modules/lodash
node_modules/vue-native-websocket/node_modules/lodash
  karma  <=5.0.7
  Depends on vulnerable versions of chokidar
  Depends on vulnerable versions of expand-braces
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of optimist
  Depends on vulnerable versions of socket.io
  node_modules/vue-native-websocket/node_modules/karma

mem  <4.0.0
Denial of Service - https://npmjs.com/advisories/1084
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/mem
  os-locale  2.0.0 - 3.0.0
  Depends on vulnerable versions of mem
  node_modules/vue-native-websocket/node_modules/os-locale
    yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
    Depends on vulnerable versions of os-locale
    Depends on vulnerable versions of yargs-parser
    node_modules/vue-native-websocket/node_modules/yargs
      webpack  2.0.0-beta - 4.0.0-beta.3
      Depends on vulnerable versions of yargs
      node_modules/vue-native-websocket/node_modules/webpack

minimist  <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/fsevents/node_modules/minimist
node_modules/vue-native-websocket/node_modules/fsevents/node_modules/rc/node_modules/minimist       
node_modules/vue-native-websocket/node_modules/karma-mocha/node_modules/minimist
node_modules/vue-native-websocket/node_modules/meow/node_modules/minimist
node_modules/vue-native-websocket/node_modules/minimist
  karma-mocha  1.3.0
  Depends on vulnerable versions of minimist
  node_modules/vue-native-websocket/node_modules/karma-mocha
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/vue-native-websocket/node_modules/fsevents/node_modules/mkdirp
  node_modules/vue-native-websocket/node_modules/mkdirp
    mocha  0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
    Depends on vulnerable versions of debug
    Depends on vulnerable versions of diff
    Depends on vulnerable versions of growl
    Depends on vulnerable versions of mkdirp
    node_modules/vue-native-websocket/node_modules/mocha
  optimist  >=0.6.0
  Depends on vulnerable versions of minimist
  node_modules/vue-native-websocket/node_modules/optimist
    handlebars  <=4.7.3
    Depends on vulnerable versions of optimist
    node_modules/vue-native-websocket/node_modules/handlebars
    karma  <=5.0.7
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of expand-braces
    Depends on vulnerable versions of lodash
    Depends on vulnerable versions of optimist
    Depends on vulnerable versions of socket.io
    node_modules/vue-native-websocket/node_modules/karma

mixin-deep  <=1.3.1 || 2.0.0
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1013
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/mixin-deep

parsejson  *
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/528
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/parsejson
  engine.io-client  <=3.1.3
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of parsejson
  Depends on vulnerable versions of ws
  node_modules/vue-native-websocket/node_modules/engine.io-client

set-value  <=2.0.0 || 3.0.0
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1012
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/set-value
node_modules/vue-native-websocket/node_modules/union-value/node_modules/set-value
  union-value  <=1.0.0 || 2.0.0
  Depends on vulnerable versions of set-value
  node_modules/vue-native-websocket/node_modules/union-value

socket.io  <=2.3.0
Severity: moderate
Insecure Default Configuration - https://npmjs.com/advisories/1609
Depends on vulnerable versions of debug
Depends on vulnerable versions of socket.io-client
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/socket.io
  karma  <=5.0.7
  Depends on vulnerable versions of chokidar
  Depends on vulnerable versions of expand-braces
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of optimist
  Depends on vulnerable versions of socket.io
  node_modules/vue-native-websocket/node_modules/karma

tar  <2.2.2 || >=3.0.0 <4.4.2
Severity: high
Arbitrary File Overwrite - https://npmjs.com/advisories/803
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/fsevents/node_modules/tar

ws  <1.1.5 || >=2.0.0 <3.3.1
Severity: high
Denial of Service - https://npmjs.com/advisories/550
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/ws
  engine.io  <=3.1.3
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of ws
  node_modules/vue-native-websocket/node_modules/engine.io
  engine.io-client  <=3.1.3
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of parsejson
  Depends on vulnerable versions of ws
  node_modules/vue-native-websocket/node_modules/engine.io-client

y18n  <3.2.2||=4.0.0||>=5.0.0 <5.0.5
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1654
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/y18n

yargs-parser  <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
  Depends on vulnerable versions of os-locale
  Depends on vulnerable versions of yargs-parser
  node_modules/vue-native-websocket/node_modules/yargs
    webpack  2.0.0-beta - 4.0.0-beta.3
    Depends on vulnerable versions of yargs
    node_modules/vue-native-websocket/node_modules/webpack

43 vulnerabilities (21 low, 2 moderate, 17 high, 3 critical)

After (2 high severity vulnerabilities)

```

axios <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
No fix available
node_modules/axios
@jellyfin/client-axios *
Depends on vulnerable versions of axios
node_modules/@jellyfin/client-axios

2 high severity vulnerabilities

An issues has been created for the above: jellyfin/jellyfin-client-axios#9
</details>

[camc314]

I absolutely agree with this. We'll only migrate to the new format once Node and Node LTS support a version of NPM that uses it, even if backwards compatible.

npm v7 is used in node v15 nodejs/node#35631

[ferferga]

@camc314 But Node 15 is not LTS, only even versions are LTS as per their docs

[camc314]

That's what I said. npm 7 is used in node 15, the current latest version

[ferferga]

But we're not aiming for latest versions, we're aiming for LTS (Long-Term Support) ones all the time afaik.

Correct me if I'm wrong @MrTimscampi

[camc314]

Ok that's fine. I understand why you'd want to use npm v6

How ever the security issues raised are still of concern.

[heyhippari]

But we're not aiming for latest versions, we're aiming for LTS (Long-Term Support) ones all the time afaik.

Correct me if I'm wrong @MrTimscampi

You are correct.

I'm expecting us to move to Node 16 probably around May-June (When it had like a month to get adopted by the various dependencies and such).

[camc314]

Ok That's fine I understand the reasons for using npm v7. Please see the concerns I highlighted above regarding security though.