@bazel/jasmine 0.38 depends on mem@1.1 which has a security issue

[mprobst]

Not sure if this is readable to you:
https://github.com/angular/tsickle/network/alert/yarn.lock/mem/open

WS-2018-0236 More information
moderate severity
Vulnerable versions: < 4.0.0
Patched version: 4.0.0
In nodejs-mem before version 4.0.0 there is a memory leak due to old results not being removed from the cache despite reaching maxAge. Exploitation of this can lead to exhaustion of memory and subsequent denial of service.

$ npm ls mem
tsickle@0.37.0 /usr/local/google/home/martinprobst/src/tsickle
└─┬ @bazel/jasmine@0.38.0
  └─┬ v8-coverage@1.0.9
    └─┬ yargs@11.1.0
      └─┬ os-locale@2.1.0
        └── mem@1.1.0 

[Toxicable]

I was thinking about this a few days ago and I think we should drop the direct dep on v8-coverage.
This is the only module we need from it: https://github.com/Eywek/v8-coverage/blob/master/src/report.js
Which dosen't have much logic, so wouldn't be hard to migrate.

Doing this would reduce the transative deps we have for coverage but increase at the direct deps we have to include:

• istanbul-lib-coverage
• istanbul-lib-reports
• v8-to-istanbul

[Toxicable]

I also have this PR where I could make t hose changes: #1135

Will try find some time on an afternoon this week, otherwise this weekend