upgrade to webpack 4+ or find alternatives for css-loader

[acautin]

the version currently used in https://github.com/webpack-contrib/css-loader includes a vulnerable dependency however latest versions require Webpack version 4+.

[acautin]

Other vulnerable packages from our dev dependency:

• mixin-deep (Imported by Webpack)
• set-value (Imported from Webpack)
• braces (Imported from Karma)

Tried using yarn audit fix, but it is not implemented, ref: yarnpkg/yarn#7075

Also npm audit fix can't work with the yarn lock file.

~/Documents/k2_informatics/sbsgui/_checkouts/dderl/priv/dev $ npm audit fix
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/agustin/.npm/_logs/2019-07-15T13_16_57_914Z-debug.log

The effort to solve this is not trivial as it requires upgrading Webpack to version 4+. All the vulnerabilities found so far are dev dependencies which means fixing them is not urgent (dev dependencies are not included in the release).

cc @c-bik