2792, 2821, 2901 Security issues

[rfultz]

Summary

• Resolves [Med] Snyk: Denial of Service (DoS) (due 6/2/19) #2792
• Resolves [HIGH] Arbitrary File Overwrite -- need a fix by May 10, 2019 #2821
• Resolves [High] Snyk: Arbitrary File Overwrite (due 6/15/19) #2901

Impacted areas of the application

Screenshots

Nothing to see on the front end

Related PRs

None

How to test

1. Switch to Node 10.16.0 if you can, nvm use 10.16.0 (If that fails, install it nvm install 10.16.0)
2. Upgrade the global Node Package Manager (NPM) to 6.9.1 npm i -g npm@latest or npm i -g npm
3. Because we may have changed Node and NPM versions, rebuild Node-Sass npm rebuild node-sass
4. Probably not necessary but, just in case, let's reset our packages
   1. Dump the fec-cms/node_modules directory (rm –rf node_modules)
   2. Clear the cache npm cache clear --force
5. Install all of the packages npm i (it'll take a bit)
6. Run the audit npm audit or npm audit fix --force
   There should be only one vulnerability: one for braces (which is only used for dev, not prod)

To test for errors:

1. Quick build: npm run build
2. Full build: npm run build-production
3. Tests: npm run test-single
4. Browse the site, especially the more complicated parts. There should be zero changes to how the site behaves

NOTE

Because this update changes the version of Node and npm, and our dev, stg, and prd environments come with default versions as part of their images, we'll want to make sure the various servers update accordingly.

NOTE

This PR address these issues as they're seen in npm audit, which are the same issues that Snyk reported, but we still need to get the code to dev, etc., for Snyk to approve it.

---

[codecov-io]

Codecov Report

Merging #3003 into develop will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop    #3003   +/-   ##
========================================
  Coverage    74.85%   74.85%           
========================================
  Files          119      119           
  Lines         7130     7130           
  Branches       615      615           
========================================
  Hits          5337     5337           
  Misses        1793     1793

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 153f546...d524895. Read the comment docs.

[patphongs]

@rfultz This looks good to me, let's go ahead and remove the TODO that references file-loader since we are not going that direction anymore:

fec-cms/fec/webpack.config.js

Line 117 in 4ff7b66

// // TODO - move these to their final home

[patphongs]

LGTM