chore: loosened package restriction on Socket.IO

[kjy5]

Urchin's package definition conflicted with Ephys Link in VBL docs because the range was too restrictive. When using ~=, defining a patch number (like 5.8.0) restricts the packages to only 5.8.x versions instead of 5.x. Ephys Link is on 5.9.0.

The better solution to this is to use dependabot which tracks security updates on packages and automatically opens PR's to update them. Ephys Link uses dependabot and then uses == version restriction to keep with exactly the version dependabot detects is safe.

To enable, add .github/dependabot.yml with the following contents

# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
updates:
  - package-ecosystem: "pip" # See documentation for possible values
    directory: "API/" # Location of package manifests
    schedule:
      interval: "weekly"

You can also add another clause for the NPM packages. In my fork of Urchin when I had enabled this it produced 2 security updates and discovered 5 security vulnerabilities (one of which was critical).