Security: Update vulnerable dependencies

[rouanw]

This Pull Request addresses some vulnerabilities reported by npm audit:

• Updates lerna (minor version)
• Updates micromatch (major version, but the micromatch maintainers assert the API is unchanged - see https://github.com/micromatch/micromatch/blob/master/CHANGELOG.md#300---2017-04-11)
• Removes lodash-cli (I couldn't see any usages of this library)

@shakyShane do you mind taking a look please?

[rouanw]

I see the AppVeryor build for node 4 failed - looks like there was a checksum mismatch while installing rxjs.

[rouanw]

@shakyShane have you had a chance to take a look?

I haven't used AppVeyor, but I suspect a contributor to the library will be able to re-run the failed job. (I did some reading and AppVeyor is apparently prone to network and connectivity glitches, which may explain the failed install.)

[j-oliveras]

@rouanw You can try closing and re-opening to retrigger CI.

[saidkholov]

any updates on this?

[simonmaass]

any news when this will be fixed?

[Clement-TS]

up, any news on that?

[dennisreimann]

@shakyShane Can you please have a look and retrigger the AppVeyor build? It'd be great to have a new release with these updates. Please let me know if there is something we could help with, I guess people are eagerly waiting for a new version which incorporates the vulnerability fixes. Thanks!

[dennisreimann]

There hasn't been any commit activity for the last half year and not receiving an answer here makes me wonder, whether or not this repo is still maintained. As I said I'd be willing to help out, since I'm relying on BrowserSync in several of my projects and I'd rather not see this project fade away.

[shakyShane]

I'm looking into all security related PRs now :)

[shakyShane]

fixed in 2.26.4, thanks for your contribution :)

[Berkmann18]

@shakyShane Is there a reason why you don't merge people's contribution and instead of copying what they did?

[shakyShane]

@Berkmann18 just in this case, there were 4 different open PRs, all with slightly different fixes.

This happened purely because I was absent for so long, something I regret and am sorry for. Once I did get around to this, with only of hours to spare I made the decision to perform all updates in 1 go, rather than attempt to cherry pick bits and pieces spread across 4 PRs.

I value PRs greatly, and have accepted/merged many in the past - but for this one, just because of time restraints, I decided against it.

Hope that clears it up, and doesn't discourage further contributions in the future

[Berkmann18]

@shakyShane Thanks for the clarification.