Upgrade to lerna 5.5.4

[marcdumais-work]

What it does

Fixes #11737

This PR updates dev-dependency lerna, from 4.x to latest 5.x. In the process we get rid of several important security vulnerabilities, that we have carried for a long while (that affect the development environment only, not Theia-based products at runtime).

We also introduce a new dev-dependency, improved-yarn-audit, that complements yarn audit nicely. Its behaviour is more configurable and its output parse-able, which makes it easier to eventually integrate to CI.

Simple usage examples:
$> yarn run improved-yarn-audit
$> yarn run improved-yarn-audit --ignore-dev-deps

How to test

• confirm the repo build locally without issues and that the example application seems to work fine
• confirm that the previous high and severe security vulnerabilities are gone - there is a new one at level high, related to the axios dependency of lerna, used by nx (they have a couple of related issues on their project, to use a later axios, so it will be fixed soon I hope)
• (optional - I have done the below myself): test publishing a 'next' and 'latest' release using a local registry. Rough instructions:
  note: be careful if you happen to have the production registry configured on your machine. Consider moving the corresponding .npmrc file temporarily to avoid pushing to real registry by mistake
  • $> npm add -g verdaccio
  • $> verdaccio # start verdaccio in another terminal
  • in main terminal, set local registry as temporary default
  • $> npm config set registry http://localhost:4873/
  • $> yarn config set registry http://localhost:4873/
  • $> npm adduser --registry http://localhost:4873/ # use bogus user/credentials. e.g.: test/test/[email protected]
  • simulate solid release from the PR commit - select "minor" when prompted
  • $> git clean -ffdx && yarn && yarn build:examples && yarn test:theia
  • $> npx lerna publish --registry http://localhost:4873 --exact --yes --no-push && yarn -s publish:check
  • verify that publishing worked without errors from "publish:check"
  • locally build a local Theia application, using the newly locally released Theia (e.g. 1.31.0)
  • verify that the local app builds and runs fine
  • simulate next release - cleanup any checked-out file left before proceeding
  • $> git clean -ffdx && yarn && yarn build:examples && yarn test:theia
  • $> npx lerna publish --registry http://localhost:4873 preminor --exact --canary --preid next --dist-tag next --no-git-reset --no-git-tag-version --no-push --yes && yarn -s publish:check
  • verify that publishing worked without errors from "publish:check"
  • locally build a local Theia application, using the newly locally released Theia (e.g. 1.32.0-next.0)
  • verify that the local app builds and runs fine
  • when all done, unset local registry (else entries related to it will be included in yarn.lock as you continue working on something else:
  • $> npm config delete registry http://localhost:4873/
  • $> yarn config delete registry http://localhost:4873/

Review checklist

• As an author, I have thoroughly tested my changes and carefully followed the review guidelines

Reminder for reviewers

• As a reviewer, I agree to behave in accordance with the review guidelines

[vince-fugnitto]

LGTM 👍

• Build is successful, and both the example-electron and example-browser work
• CI passes
• Confirmed that vulnerabilities previously reported by yarn audit have been resolved (new one from axios as expected)
• Confirmed that yarn run improved-yarn-audit works and reports the vulnerabilities in a nice format
• Confirmed that yarn run improved-yarn-audit --ignore-dev-deps works and does not report devDependencies

[marcdumais-work]

@vince-fugnitto as suggested during the dev-meeting, I added an entry to the migration guide. And since there was a conflict with yarn.lock I rebased on latest master. Can you have another quick look?

[vince-fugnitto]

LGTM 👍