chore(deps): automatically audit fix UI deps

[agilgur5]

Partial fix for #12031, Vulnerabilities

Motivation

• 77 vulns -> 1 vuln
  • the 1 remaining is a dep of swagger-ui-react, which has it pinned to a specific version
    • see also chore(deps): bump swagger-ui-react from 4.12.0 to 5.1.3 in /ui #11418 (comment); swagger-ui-react is blocked on upgrading due to other devDeps
    • EDIT: see minor bump of swagger-ui-react in fix(deps): upgrade swagger-ui-react to latest 4.x.x #12058
• Some dependabot PRs have stalled because it's not deduplicating dependencies 😕
  • See chore(deps-dev): bump @babel/preset-env from 7.22.10 to 7.22.14 in /ui #11728 (comment)
• Improve OpenSSF Scorecard Vulnerabilities check
  • all but one of the vulns currently reported are in JS deps
    • the remaining one is a vuln in the AWS Go SDK with no patch currently available
      • EDIT: see upgrade to AWS Go SDK v2 in refactor(deps): upgrade to aws-sdk-go-v2 pkg#529

Modifications

• ran npx yarn-audit-fix && yarn deduplicate
  • see https://github.com/antongolub/yarn-audit-fix, a Yarn variant for npm audit fix

Verification

• ran yarn after, no additional changes
  • audit fix will only bump versions in a SemVer compatible way, so no major bumps here; mostly patches

[terrytangyuan]

This should be part of ui lint? npx yarn-audit-fix && yarn deduplicate

[agilgur5]

This should be part of ui lint? npx yarn-audit-fix && yarn deduplicate

No I don't think so, that's why I didn't add it.

Here's a pointed counter-example to demonstrate why: if you change no dependencies yourself in a PR, audit fix may still have changes.
After all, it depends on if there are vulns in your dependencies and a SemVer compatible fix available. Since vulns are discovered in real-time, that is a moving target.

yarn deduplicate on the other hand will only make changes if you made changes to the deps. It will effectively no-op when there are no changes to deps (and if the list has been kept deduped as it is within the UI lint check).