[security] update to latest lerna

Fixes #11737

before update:
7 vulnerabilities found - Packages audited: 1946
Severity: 3 Moderate | 2 High | 2 Critical

after update:
2 vulnerabilities found - Packages audited: 2036
Severity: 1 Moderate | 1 High

Signed-off-by: Marc Dumais <marc.dumais@ericsson.com>

doc/Migration.md

@@ -19,6 +19,14 @@ For example:
 }
 ```
 
+### v1.30.0
+
+#### lerna 5.5.4
+
+The `lerna` dev-dependency was upgraded one major versions, to v5.5.4. This removes a few high and severe known vulnerabilities from our development environment. See the [PR](https://github.com/eclipse-theia/theia/pull/11738) for more details.
+
+The upgrade was smooth in this repo, but it's possible that Theia developers/extenders, that are potentially using `lerna` differently, might need to do some adaptations.
+
 ### v1.29.0
 
 #### React 18 update
@@ -53,14 +61,14 @@ This version updates the Monaco code used in Theia to the state of VSCode 1.65.2
 
 #### ASM to ESM
 
-Two kinds of changes may be required to consume Monaco using ESM modules. 
+Two kinds of changes may be required to consume Monaco using ESM modules.
 
- - If your application uses its own Webpack config rather than that generated by the @theia/dev-packages, you
+- If your application uses its own Webpack config rather than that generated by the @theia/dev-packages, you
 will need to update that config to remove the `CopyWebpackPlugin` formerly used to place Monaco
 code in the build folder and to build a separate entrypoint for the `editor.worker`. See [the changes here](https://github.com/eclipse-theia/theia/pull/10736/files#diff-b4677f3ff57d8b952eeefc10493ed3600d2737f9b5c9b0630b172472acb9c3a2)
- - If your application uses its own frontend generator, you should modify the code that generates the `index.html` to load the `script` containing the bundle into the `body` element rather than the head. See [changes here](https://github.com/eclipse-theia/theia/pull/10947/files)
- - References to the `window.monaco` object should be replaced with imports from `@theia/monaco-editor-core`. In most cases, simply adding an import `import * as monaco from 
-'@theia/monaco-editor-core'` will suffice. More complex use cases may require imports from specific parts of Monaco. Please see 
+- If your application uses its own frontend generator, you should modify the code that generates the `index.html` to load the `script` containing the bundle into the `body` element rather than the head. See [changes here](https://github.com/eclipse-theia/theia/pull/10947/files)
+- References to the `window.monaco` object should be replaced with imports from `@theia/monaco-editor-core`. In most cases, simply adding an import `import * as monaco from
+'@theia/monaco-editor-core'` will suffice. More complex use cases may require imports from specific parts of Monaco. Please see
 [the PR](https://github.com/eclipse-theia/theia/pull/10736) for details, and please post any questions or problems there.
 
 Using ESM modules, it is now possible to follow imports to definitions and to the Monaco source code. This should aid in tracking down issues related to changes in Monaco discussed
@@ -70,12 +78,12 @@ below.
 
 The Monaco API has changed in significant ways since the last uplift. One of the most significant is the handling of overrides to services instantiated by Monaco.
 
- - The style of service access `monaco.StaticServices.<ServiceName>.get()` is no longer available. Instead, use `StaticServices.get(<ServiceIdentifier>)` with a service
+- The style of service access `monaco.StaticServices.<ServiceName>.get()` is no longer available. Instead, use `StaticServices.get(<ServiceIdentifier>)` with a service
 identifier imported from `@theia/monaco-editor-core`.
- - Any service overrides that should be used for all instantiations in Monaco should be passed to the first call of `StaticServices.initialize`. The first call is used to set the
+- Any service overrides that should be used for all instantiations in Monaco should be passed to the first call of `StaticServices.initialize`. The first call is used to set the
 services for all subsequent calls. Overrides passed to subsequent calls to `StaticServices.initialize` will be ignored. To change the overrides used, please override
 [`MonacoFrontendApplicationContribution.initialize`](https://github.com/eclipse-theia/theia/pull/10736/files#diff-99d13bb12b3c33ada58d66291db38b8b9f61883822b08b228f0ebf30b457a85d).
- - Services that should be used for a particular instantiation must be passed to a child of the global `IInstantiationService`. See `MonacoEditor.getInstantiationWithOverrides`
+- Services that should be used for a particular instantiation must be passed to a child of the global `IInstantiationService`. See `MonacoEditor.getInstantiationWithOverrides`
 for an example.
 
 Other changes include a number of changes of name from `mode` -> `language` and changes of interface. Please consult [the PR](https://github.com/eclipse-theia/theia/pull/10736) or
@@ -143,6 +151,7 @@ You can delete this whole block and replace it by the following:
   - es5 VS Code extensions and Theia plugins are still supported
   - If you require an es5 codebase you should be able to transpile back to es5 using webpack
   - The following code transpiles back to an es2015 codebase:
+
     ```
     config.module.rules.push({
         test: /\.js$/,
@@ -154,6 +163,7 @@ You can delete this whole block and replace it by the following:
         }
     });
     ```
+
   - Replace the targets with the ones that are needed for your use case
   - Make sure to use `inversify@5.1.1`. Theia requires `inversify@^5.0.1` which means that `5.1.1` is compatible,
     but your lockfile might reference an older version.
@@ -168,7 +178,7 @@ You can delete this whole block and replace it by the following:
 
 [Release](https://github.com/eclipse-theia/theia/releases/tag/v1.15.0)
 
-#### Keytar:
+#### Keytar
 
 - [`keytar`](https://github.com/atom/node-keytar) was added as a dependency for the secrets API. and may require `libsecret` in your particular distribution to be functional:
   - Debian/Ubuntu: `sudo apt-get install libsecret-1-dev`

package.json

@@ -39,7 +39,7 @@
     "if-env": "^1.0.4",
     "ignore-styles": "^5.0.1",
     "jsdom": "^11.5.1",
-    "lerna": "^4.0.0",
+    "lerna": "^5.5.4",
     "node-gyp": "^9.0.0",
     "nsfw": "^2.1.2",
     "nyc": "^15.0.0",