feat: fix security issues

[favna]

This library was ridden with old libraries causing a tonne of security vulnerabilities to it and everyone using the library. This PR aims to fix all of the issues while also generally upgrading the development environment to a more modern standard (by replacing the mix of Sinon, Mocha, Nyc, Proxyrequire with Jest). I also upgraded husky and removed deprecated packages replacing them with their proper equivalents.

As Yargs is one of the main players that got an upgrade and between V10 and V14 they have dropped NodeJS support for NodeJS version 6 and lower this library now therefore also requires NodeJS version 8 or higher. I've configured this appropiately in the engines field of the package.json as well. At least Yarn users will get alerted about it now...

That said, this should be a major version upgrade in semantic-release but I'm not too familiar with its workings on how to control that so I'll leave that in your hands.

Here are some text dumps

Security vulnerabilities before:

npm i

> husky@0.14.3 install /Users/favna/dev/temp/node_modules/husky
> node ./bin/install.js

husky
setting up Git hooks
done


> sinon@4.5.0 postinstall /Users/favna/dev/temp/node_modules/sinon
> node scripts/support-sinon.js

Have some ❤️ for Sinon? You can support the project via Open Collective:
 > https://opencollective.com/sinon/donate

added 1211 packages from 1684 contributors and audited 7741 packages in 12.55s
found 105 vulnerabilities (26 low, 7 moderate, 72 high)
  run `npm audit fix` to fix them, or `npm audit` for details

Security vulnerabilities after:

 npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
found 0 vulnerabilities
 in 890447 scanned packages

[nanovazquez]

First of all, great work! Thank you for taking the time and effort in doing all of this.

I did a first pass and I agree in most of your changes, still, it is a big PR with multiple changes. It is indeed a major, I'll take care of the commit message later (it's really simple to trigger a major with semantic release, you just have to add BREAKING CHANGE: in the commit message body, see here).

I'll try my best to have it ready this weekend, please wait for it a little bit more.

[nanovazquez]

Hey @favna, how are you? I've made some small changes to this PR and sent you another PR to your main branch (here). Could you please take a look and if all looks good to you merge it to your master branch?

In a nutshell, I'm fixing the test suite, updating documentation and reverting back the change to update yargs, we don't need it to fix all the security issues:

➜  yargs-interactive git:(refactor/fix-tests) npm audit

                       === npm audit security report ===

found 0 vulnerabilities
 in 890555 scanned packages

Without the yargs update, we can release a new patch version (or minor, still wondering what's best in this case) this weekend. Then, updating yargs in a major version is going to take just a one-liner PR.

[favna]

Changes pretty much look good aside from some extra stuff I posted there concerning yargs upgrade. I'll merge that PR when we come to a conclusion there, then we can merge this one after.

[nanovazquez]

@favna: One more PR to go: https://github.com/Favna/yargs-interactive/pull/3. This one fixes some tests.

[nanovazquez]

🎉 This PR is included in version 2.2.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀