npm: update devdependencies to remove low security alerts

[peaBerberian]

There were 2 low security alerts for a little more than a week that are linked to our devdependencies.

No urgency here as the risk for the RxPlayer is minimal. The alerts are:

1. a RegExp DOS for acorn which we do not use directly
2. a prototype pollution possibility for animist, which is only used indirectly by karma - our integration and memory tests runner - and had thus few risks to impact the RxPlayer in any ways as well as no relation to our builds

The alert for animist is still there. That module is a dependency of the now-abandonned optimist module, itself a dependency of karma-js.

Karma-js has not yet resolved the problem but were alerted, and a PR is under way.

[peaBerberian]

I live it open for now, waiting for the animist problem to be resolved.
Depending on karma's velocity to merge their PR and release it, I might decide to merge it before, even if nothing indicates any real problem for us.

[peaBerberian]

A PR fixing the bug has been merged (karma-runner/karma#3451) but still no release yet...

[peaBerberian]

Done. But I also updated RxJS to 6.5.5 (which seems to fix a memory leak in asapScheduler).

As RxJS 6.5.4 broke compatibility with IE11, we'll have to check that one. Worst case scenario, we could just add polyfills in our demo before any code is added.