[Snyk] Fix for 29 vulnerable dependency paths (#1967)

* fix: package.json & .snyk to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/npm:minimatch:20160620
- https://snyk.io/vuln/npm:braces:20180219


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/npm:debug:20170905
- https://snyk.io/vuln/npm:moment:20160126


The following vulnerabilities are ignored:
- https://snyk.io/vuln/npm:growl:20160721
- https://snyk.io/vuln/npm:hoek:20180212
- https://snyk.io/vuln/npm:lodash:20180130
- https://snyk.io/vuln/npm:moment:20161019
- https://snyk.io/vuln/npm:moment:20170905

Latest report for mozilla/donate.mozilla.org:
https://snyk.io/test/github/mozilla/donate.mozilla.org

* update extract-text-webpack-plugin

* updating dependencies and webpack

* Absolute output path

* apply snyk provided patches for vulnerable dependencies

* remove loaders, in favour of rules

Author: snyk-bot

.snyk

@@ -0,0 +1,89 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.10.2
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  'npm:growl:20160721':
+    - polyfill-service > mocha > growl:
+        reason: None given
+        expires: '2018-04-01T19:56:45.294Z'
+  'npm:hoek:20180212':
+    - good-console-logfmt > hoek:
+        reason: None given
+        expires: '2018-04-01T19:56:45.295Z'
+    - good-console-logfmt > good-squeeze > hoek:
+        reason: None given
+        expires: '2018-04-01T19:56:45.295Z'
+    - babel-cli > chokidar > fsevents > node-pre-gyp > hawk > hoek:
+        reason: None given
+        expires: '2018-04-01T19:56:45.295Z'
+    - webpack > watchpack > chokidar > fsevents > node-pre-gyp > hawk > hoek:
+        reason: None given
+        expires: '2018-04-01T19:56:45.295Z'
+    - babel-cli > chokidar > fsevents > node-pre-gyp > request > hawk > hoek:
+        reason: None given
+        expires: '2018-04-01T19:56:45.295Z'
+    - webpack > watchpack > chokidar > fsevents > node-pre-gyp > request > hawk > hoek:
+        reason: None given
+        expires: '2018-04-01T19:56:45.295Z'
+    - babel-cli > chokidar > fsevents > node-pre-gyp > hawk > boom > hoek:
+        reason: None given
+        expires: '2018-04-01T19:56:45.295Z'
+    - webpack > watchpack > chokidar > fsevents > node-pre-gyp > hawk > boom > hoek:
+        reason: None given
+        expires: '2018-04-01T19:56:45.295Z'
+    - babel-cli > chokidar > fsevents > node-pre-gyp > hawk > cryptiles > boom > hoek:
+        reason: None given
+        expires: '2018-04-01T19:56:45.295Z'
+    - webpack > watchpack > chokidar > fsevents > node-pre-gyp > hawk > cryptiles > boom > hoek:
+        reason: None given
+        expires: '2018-04-01T19:56:45.295Z'
+    - babel-cli > chokidar > fsevents > node-pre-gyp > request > hawk > cryptiles > boom > hoek:
+        reason: None given
+        expires: '2018-04-01T19:56:45.295Z'
+    - webpack > watchpack > chokidar > fsevents > node-pre-gyp > request > hawk > cryptiles > boom > hoek:
+        reason: None given
+        expires: '2018-04-01T19:56:45.295Z'
+    - babel-cli > chokidar > fsevents > node-pre-gyp > request > hawk > boom > hoek:
+        reason: None given
+        expires: '2018-04-01T19:56:45.295Z'
+    - webpack > watchpack > chokidar > fsevents > node-pre-gyp > request > hawk > boom > hoek:
+        reason: None given
+        expires: '2018-04-01T19:56:45.295Z'
+    - babel-cli > chokidar > fsevents > node-pre-gyp > hawk > sntp > hoek:
+        reason: None given
+        expires: '2018-04-01T19:56:45.295Z'
+    - webpack > watchpack > chokidar > fsevents > node-pre-gyp > hawk > sntp > hoek:
+        reason: None given
+        expires: '2018-04-01T19:56:45.295Z'
+    - babel-cli > chokidar > fsevents > node-pre-gyp > request > hawk > sntp > hoek:
+        reason: None given
+        expires: '2018-04-01T19:56:45.295Z'
+    - webpack > watchpack > chokidar > fsevents > node-pre-gyp > request > hawk > sntp > hoek:
+        reason: None given
+        expires: '2018-04-01T19:56:45.295Z'
+  'npm:lodash:20180130':
+    - good-console-logfmt > logfmt > lodash:
+        reason: None given
+        expires: '2018-04-01T19:56:45.296Z'
+    - polyfill-service > grunt > grunt-legacy-util > lodash:
+        reason: None given
+        expires: '2018-04-01T19:56:45.296Z'
+    - polyfill-service > grunt > grunt-legacy-log > grunt-legacy-log-utils > lodash:
+        reason: None given
+        expires: '2018-04-01T19:56:45.296Z'
+  'npm:moment:20161019':
+    - good-console-logfmt > moment:
+        reason: None given
+        expires: '2018-04-01T19:56:45.296Z'
+  'npm:moment:20170905':
+    - good-console-logfmt > moment:
+        reason: None given
+        expires: '2018-04-01T19:56:45.296Z'
+# patches apply the minimum changes required to fix a vulnerability
+patch:
+  'npm:debug:20170905':
+    - polyfill-service > mocha > debug:
+        patched: '2018-03-02T19:56:45.299Z'
+  'npm:moment:20160126':
+    - good-console-logfmt > moment:
+        patched: '2018-03-02T19:56:45.299Z'

package.json

@@ -8,7 +8,7 @@
     "build:l10njson": "pontoon-to-json --dest ./public",
     "build:exchangerates": "node scripts/exchangerates.js",
     "build:babel": "babel src --compact=true -s --out-dir dist",
-    "build:webpack": "webpack --optimize-minimize --optimize-dedupe",
+    "build:webpack": "webpack --optimize-minimize",
     "watch:js": "npm-run-all --parallel watch:babel watch:webpack",
     "watch:babel": "npm run build:babel -- -w",
     "watch:webpack": "webpack --progress --profile --colors --watch",
@@ -22,7 +22,9 @@
     "test:depcheck": "dependency-check ./package.json",
     "test:lint": "eslint --ext .js,.jsx .",
     "imagemin": "imagemin assets/images/* assets/images",
-    "postinstall": "npm-run-all build:*"
+    "postinstall": "npm-run-all build:*",
+    "snyk-protect": "snyk protect",
+    "prepare": "npm run snyk-protect"
   },
   "repository": {
     "type": "git",
@@ -45,21 +47,21 @@
     "async": "1.5.1",
     "aws-sdk": "^2.176.0",
     "babel-cli": "6.9.0",
-    "babel-core": "6.9.0",
-    "babel-loader": "6.2.1",
+    "babel-core": "6.10.4",
+    "babel-loader": "7.1.3",
     "babel-preset-es2015": "6.3.13",
     "babel-preset-react": "6.11.1",
     "bestlang": "0.0.1",
     "blankie": "4.0.0",
     "boom": "7.1.1",
-    "css-loader": "0.23.1",
+    "css-loader": "0.28.4",
     "enhanced-require": "0.5.0-beta6",
     "enzyme": "2.7.0",
     "eslint": "4.11.0",
     "eslint-loader": "1.1.1",
     "eslint-plugin-react": "3.14.0",
     "exports-loader": "0.6.2",
-    "extract-text-webpack-plugin": "0.9.1",
+    "extract-text-webpack-plugin": "3.0.2",
     "good": "8.0.0-rc1",
     "good-console": "^7.0.0",
     "good-console-logfmt": "1.0.2",
@@ -75,7 +77,7 @@
     "json-loader": "0.5.4",
     "langmap": "0.0.12",
     "less": "2.5.3",
-    "less-loader": "2.2.2",
+    "less-loader": "4.0.6",
     "npm-run-all": "1.4.0",
     "object-assign": "4.1.0",
     "on-build-webpack": "0.1.0",
@@ -93,10 +95,11 @@
     "request": "2.83.0",
     "scooter": "5.0.0",
     "stripe": "5.1.1",
-    "style-loader": "0.13.0",
+    "style-loader": "0.18.2",
     "throng": "4.0.0",
-    "webpack": "1.12.9",
-    "whatwg-fetch": "0.10.1"
+    "webpack": "3.2.0",
+    "whatwg-fetch": "0.10.1",
+    "snyk": "^1.69.10"
   },
   "devDependencies": {
     "cross-spawn": "2.1.4",
@@ -120,5 +123,6 @@
   },
   "engines": {
     "node": "^8.9.0"
-  }
+  },
+  "snyk": true
 }

webpack.config.js

@@ -10,32 +10,28 @@ module.exports = {
   output: {
     filename: '[name].[hash].js',
     chunkFilename: '[id].chunk.js',
-    path: Path.join('public')
+    path: Path.join( __dirname, './public')
   },
   resolve: {
-    extensions: ['', '.js']
+    extensions: ['.js']
   },
   module: {
-    loaders: [
-      { test: /\.json$/, loaders: ['json-loader'], exclude: ['node_modules'] },
-      { test: /\.less$/, loader: ExtractTextPlugin.extract(
-        'css?sourceMap!less?sourceMap'
-      ), exclude: ['node_modules'] }
-    ],
-    preLoaders: [
-      { test: /\.jsx$/, loaders: ['eslint-loader'], exclude: ['node_modules'] }
+    rules: [
+      { test: /\.json$/, loader: 'json-loader', exclude: ['node_modules'] },
+      { test: /\.jsx$/, enforce: 'pre', loader: 'eslint-loader', exclude: ['node_modules'] },
+      { test: /\.less$/, use: ExtractTextPlugin.extract({
+          fallback: 'style-loader',
+          use: ['css-loader', 'less-loader']
+        })
+      }
     ]
   },
-  eslint: {
-    emitError: true,
-    emitWarning: true
-  },
   plugins: [
     new AssetsPlugin({
       path: Path.join(__dirname, 'public')
     }),
     new webpack.ProvidePlugin({
-      'fetch': 'imports?this=>global!exports?global.fetch!whatwg-fetch'
+      'fetch': 'imports-loader?this=>global!exports-loader?global.fetch!whatwg-fetch'
     }),
     new ExtractTextPlugin("style.[hash].css", {
       allChunks: true