Update/Remove babel-core in a new major version

Currently jscodeshift depends on an old version of babel-core, which depends on minimatch@2 which

• Reports a security warning on npm install pointing to a security issue
• Reports errors for nsp which checks for security warnings

Because of these two problems I’m unwilling to use this package. These warnings/errors are transitive and I don’t want my users to see security issues reported. Note that this is not a real security issue for jscodeshift, because it’s not using the affected babel options. Nevertheless I don’t want to tell every user to ignore these warnings, because it affects the trust in security warnings!

In another issue you pointed out that removing/updating babel would be a backward incompatible change:

see https://github.com/facebook/jscodeshift/pull/198#issuecomment-304329657

Yeah, this is not something we can do because we need babel v5 for backwards compatibility. Maybe if we release a new breaking version we could remove babel v5 support, but not at the moment.

So I propose to increase the major version and release a breaking change.

Do you really want a security warning reported on every npm install of your package? This affects the trust in security warnings! This trust is important for the community! Especially a package under the facebook namespace should be an example.