EFI: Up to date packages

[sheplu]

Motivation

Keeping dependencies up to date can provide a lot of comfort for the ecosystem. First of all, following the update and changes may allows the project to be less overwhelmed, but this is also a way to keep using packages that are updated and safe/secure. By relaying on out of date packages, we may have hidden vulnerabilities that could be exploited.

Expectation

Keep all dependencies up to date for performance and security reasons.

Implementation

Remove unused packages if we have some
Implement automation around package update using Dependabot or Renovate (or build a custom GitHub Action)
Following with Security WG to keep up to date the deps
Do we want to have automatic security update with auto-merge and auto-publish (if all tests are good)

Status

Part: Organization

Draft

Following the Security and Performances part, one key solution is to keep our dependencies list small and up to date. By doing so it would help the project operate faster, ensuring the best security and allowing us to stay up to date with the ecosystem.
We need to focus on
Keep all dependencies to the latest version (or close to)
Remove unused dependencies
Use Node.js core module if possible

[wesleytodd]

related: expressjs/express#5435

I think we need a larger discussion around how we want to approach this. For 4.x we have a long standing practice but we could consider changing it to be more update friendly going forward if we want but we need to be careful to not loose our great stability.

[bjohansebas]

We already have Dependabot (please, could a TC member merge all those PRs, or some committers/captains go ahead and start merging them?). In my opinion, we're already doing what this issue proposes, we make releases regularly.