Bump RetireJS to 2.X

Problem to solve

RetireJS is now at 2.X. We should update our analyzer.

Target audience

Developer, various Security roles.

Further details

2.x output:

{
  "version": "2.0.2",
  "start": "2018-12-17T15:55:52.351Z",
  "data": [
    {
      "file": "node_modules/ansi2html/package.json",
      "results": [
        {
          "component": "ansi2html",
          "version": "0.0.1",
          "vulnerabilities": [
            {
              "info": ["https://nodesecurity.io/advisories/51"],
              "below": "100",
              "severity": "high"
            }
          ]
        }
      ]
    }
  ],
  "messages": [],
  "errors": [],
  "time": 0.073
}

1.x output:

[
  {
    "results": [
      {
        "component": "ansi2html",
        "version": "0.0.1",
        "parent": { "component": "sast-test-npm", "version": "1.0.0" },
        "level": 1,
        "vulnerabilities": [
          {
            "info": ["https://nodesecurity.io/advisories/51"],
            "severity": "high"
          }
        ]
      }
    ]
  }
]

Proposal

Bump RetireJS to 2.X and adapt our analyzer to the new output.

What does success look like, and how can we measure that?

Our RetireJS Analyzer

Links / references

Edited Dec 17, 2018 by Olivier Gonzalez