Upgrade backend dependencies

[ktuite]

Closes getodk/central#652

When I first ran npm audit:

# npm audit report

body-parser  <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/body-parser
  express  <=4.19.2 || 5.0.0-alpha.1 - 5.0.0-beta.3
  Depends on vulnerable versions of body-parser
  Depends on vulnerable versions of path-to-regexp
  Depends on vulnerable versions of send
  Depends on vulnerable versions of serve-static
  node_modules/express

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/findup-sync/node_modules/braces
  micromatch  <=4.0.7
  Depends on vulnerable versions of braces
  node_modules/findup-sync/node_modules/micromatch
    findup-sync  0.4.0 - 3.0.0
    Depends on vulnerable versions of micromatch
    node_modules/findup-sync
      liftoff  2.2.3 - 3.1.0
      Depends on vulnerable versions of findup-sync
      node_modules/liftoff
        knex  <=2.3.0
        Depends on vulnerable versions of liftoff
        node_modules/knex




path-to-regexp  <0.1.10
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/express/node_modules/path-to-regexp

send  <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/send
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/serve-static


10 vulnerabilities (4 moderate, 6 high)

A couple of those mentioned express so i upgraded express from 4.19 to 4.21...

but then I was still seeing NPM warnings

npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

The uuid complaint seemed to come from pm2, so I upgraded that from 5.3 to 5.4:

ktuite@snickerdoodle central-backend % npm ls uuid
[email protected] /Users/ktuite/Desktop/code/odk/central-backend
├─┬ [email protected]
│ └─┬ [email protected]
│   └── [email protected]
├─┬ [email protected]
│ └─┬ @pm2/[email protected]
│   ├─┬ @opencensus/[email protected]
│   │ └── [email protected]
│   └─┬ @opencensus/[email protected]
│     ├─┬ @opencensus/[email protected]
│     │ └── [email protected] deduped
│     └── [email protected]
├─┬ slonik@npm:@getodk/[email protected]
│ └─┬ [email protected]
│   └── [email protected]
└── [email protected]

The remaining npm warning and npm audit issues are the same and seem to be tied to our old knex:

npm ls source-map-url urix resolve-url source-map-resolve

[email protected] /Users/ktuite/Desktop/code/odk/central-backend
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └─┬ [email protected]
          └─┬ [email protected]
            ├── [email protected]
            ├── [email protected]
            └── [email protected]

remaining npm audit output:

# npm audit report

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/findup-sync/node_modules/braces
  micromatch  <=4.0.7
  Depends on vulnerable versions of braces
  node_modules/findup-sync/node_modules/micromatch
    findup-sync  0.4.0 - 3.0.0
    Depends on vulnerable versions of micromatch
    node_modules/findup-sync
      liftoff  2.2.3 - 3.1.0
      Depends on vulnerable versions of findup-sync
      node_modules/liftoff
        knex  <=2.3.0
        Depends on vulnerable versions of liftoff
        node_modules/knex



5 vulnerabilities (2 moderate, 3 high)

To address all issues (including breaking changes), run:
  npm audit fix --force
ktuite@snickerdoodle central-backend % npm ls braces
[email protected] /Users/ktuite/Desktop/code/odk/central-backend
├─┬ [email protected]
│ └─┬ [email protected]
│   └── [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └── [email protected]
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected] deduped