Fix a few vulnerabilities

[Tristramg]

Two can not be fixed yet:

• Update lodash to 5.17.11 to resolve node vulnerability audit swagger-api/swagger-node#579
• v3.8.1 proposal (became v4.0.0) nodejs/node-gyp#1718

[Tristramg]

Wouldn’t it be useful to also commit a package-lock.json? If you agree I will a make a follow-up PR

[muxator]

Thanks for the contribution.
At least for the clean-css upgrade, we cannot proceed like this.

As you can see in clean-css 4.2.1 readme:

clean-css 4.0 introduces some breaking changes:

• root, relativeTo, and target options are replaced by a single rebaseTo option - this means that rebasing URLs and import inlining is much simpler but may not be (YMMV) as powerful as in 3.x;

The change affects Etherpad:

etherpad-lite/src/node/utils/Minify.js

Line 418 in 357780d

new CleanCSS({relativeTo: base}).minify(content, function (errors, minified) {

The dummy fix (replacing relativeTo -> rebaseTo) does not work. I started investigating this, but had to put on hold due to lack of time.

Would you be so kind to work on this on a different PR?

[Tristramg]

Oh indeed. The only problem I see locally is with background on the / where the jpeg hasn’t the right route.
I tried to understand what happens, but I’m not a JS developper and I got lost here. Sorry, I don’t think I’ll be able to continue to focus on etherpad.

[muxator]

Closing this PR since it is not going to progress.

The issues mentioned in this comment thread are going to be tracked in #3598 and #3616: refer there for status updates.