fix: update update-notifier to resolve dot-prop vulnerability

[cmdcarini]

This updates the version of update-notifier to resolve the vulnerability present in the existing version's dot-prop dependency. This resolves #1584 .

References

Closes #1584
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116

[ljharb]

It's tough to tell in the diff; do any of these bump major versions such that engines support would change?

[cmdcarini]

Indeed it would appear it would, per the release notes, v3 of update-notifier removes support for Node v6

[cmdcarini]

Is this test still relevant?
https://github.com/npm/cli/blob/latest/test/tap/00-verify-no-scoped.js

[moustafab]

@cmdcarini I was working on sorting this issue out this morning, and saw this issue/PR pop up. One issue you might have is the dependent package is also there in libnpx.

[cmdcarini]

@cmdcarini I was working on sorting this issue out this morning, and saw this issue/PR pop up. One issue you might have is the dependent package is also there in libnpx.

I noticed this too, figured there's room for another PR, after they patch

[cmdcarini]

@ruyadorno | @isaacs | ${someOtherNPMOfficial} are there any updates on triaging this to be reviewed/merged?

[ruyadorno]

@cmdcarini thank you for taking the time to put this together 😊

We are aware of the issue and planning to have a patch release of v6 that solves the problem sometime soon 👍

[ruyadorno]

Note: We can't land this PR in its current state since we can't drop support to node6 in npm6.

That said, I'm not sure yet what the answer will be 🤔 Sorry I can't be more helpful at the moment, we def appreciate the contribution so I just wanted to leave you the quick reply 😊

[cmdcarini]

Note: We can't land this PR in its current state since we can't drop support to node6 in npm6.

That said, I'm not sure yet what the answer will be 🤔 Sorry I can't be more helpful at the moment, we def appreciate the contribution so I just wanted to leave you the quick reply 😊

Awesome! Thanks much for your reply