chore(@plone/scripts): upgrade execa to avoid security vulnerability

[nileshgulia1]

execa <2.0.0 has a critical security vulnerability in docker. According to docker scout:

   1C     0H     0M     0L  execa 0.6.3
pkg:npm/[email protected]

Dockerfile (22:22)
COPY --from=builder /app/ /app/

    ✗ CRITICAL GMS-2020-2 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
      https://scout.docker.com/v/GMS-2020-2
      Affected range : <2.0.0                                        
      Fixed version  : 2.0.0                                         
      CVSS Score     : 9.8                                           
      CVSS Vector    : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
      

I updated it to the latest version with a small API change. Right now, execa 1.0.0 is still being installed through @testing-library/jest-dom and razzle (which isn’t maintained anymore). [email protected] is also a direct dependency of "sane" (v4.x, which again comes from majorly "jest"). This issue is fixed in [email protected], so it’s worth considering an upgrade/override.

[nileshgulia1]

@sneridagh Any idea why we are using very old version, bundlesize?

[wesleybl]

LGTM

[wesleybl]

Right now, execa 1.0.0 is still being installed through @testing-library/jest-dom and razzle (which isn’t maintained anymore). [email protected] is also a direct dependency of "sane" (v4.x, which again comes from majorly "jest"). This issue is fixed in [email protected], so it’s worth considering an upgrade/override.

I agree with that.

In fact, I'm wondering if it's worth creating a new "@volto/razzle" package to update these packages. But maybe that wouldn't be worth it because these issues will be fixed in Seven.