Dependency upgrades and minor improvements

[schoenkaft]

Hey! 👋

• Refined a few trivial lines of code.
• Sorted all .stylelintrc rules, making it easier to find/adjust one of those.
• Disabled failAfterError in stylelint. This allows you to continue the (initial) build if there is a style linting error. For example when updating to the latest version of this package and having to fix/refine new stylelint rules, or continue building with an accidental lint commit by a colleague.
• Updated the default @babel/preset-env target, which now should default to browserslist defaults (see docs).
• Upgraded all dependencies. Changelogs for major upgrades packages were checked/followed:
  • Added postcss as dependency, since it's now specified as peerDependency.
  • Changed Stream to Buffer for breaking gulp-rev-rewrite change.
• Above upgrade fixes all 41 'vulnerabilities'. Which are usually less severe than they sound (especially in the case of usage in pipeline/tooling). But having to pass corporate code analysis is easier with less CVE's 😇

---

Nice to see the move to stylelint, makes sense (wasn't aware about its existence yet)! Was a fairly seamless switch for me. Added quite a lot of additional strict rules myself, but assume Prettier takes care of most those in your setup anyway 👌

PS: I think the last version might not have been published via yarn publish. It's missing the correct version in package.json — which is used to display the current version in the build output — plus the usual commit and version tag. Also all tags for v8.x.x are missing (git push --tags 😄 ).

Suggestions for improvements are welcome!
Happy holidays 🎅

[schoenkaft]

Added one additional commit, which fixes the last audit-reported vulnerability for this package:

yarn audit v1.22.10
0 vulnerabilities found - Packages audited: 1707
✨  Done in 1.17s.

It leverages selective dependency resolution, which is safer than simply bumping versions in the yarn.lock file (and hope no-one will ever mess it up). Unfortunately it appears this approach does not bubble up the dependency tree, so to apply this to a specific project, one could add the following to the package.json:

"resolutions": {
  "@grrr/gulpfile/gulp-modernizr/**/optimist/minimist": "^1.2.5"
}

This specific minimist vulnerability will likely never be a an issue in real life, so no need to act. But probably good to know there is a proper way to override specific versions for nested dependencies (npm is also working on an override RFC).

[harmenjanssen]

Awesome, thanks Koen!
Also for the explanation.

You're right, I had some local tags lingering. Oops. 😬
The version was published however, but I can imagine NPM not being able to find version that do not correspond to remotely available tags.

Anyways, all is well now! Will publish your changes immediately.