Since some weeks ago, GH's dependabot is telling as about a couple of security problems with our core nodejs stuff.

The problem (security-wise) is minor because we only use nodejs and composer as development dependencies, not for running the sites.

Still, it would be better to be clean of those security potential risks and reports.

Current reports are:

1) grunt package: High severity: CVE-2020-7729

Vulnerable versions: < 1.3.0
Patched version: 1.3.0
The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

2) xmldom package: Low severity: GHSA-h6q6-9hqw-rwfv

Vulnerable versions: < 0.5.0
Patched version: 0.5.0
Impact

xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.

This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Patches

Update to 0.5.0 (once it is released)