Updating the yarn.lock file: to not include security warnings and be generally up to date

We have a yarn.lock file that should be version controlled and updated. The yarn.lock file will be used during this step in our publishing workflow to influence the node environment that is used to build the javascript we ship (see https://github.com/jupyterhub/jupyter-server-proxy/issues/305#issuecomment-981645351).

https://github.com/jupyterhub/jupyter-server-proxy/blob/ed557ad7fc91274fe55e8db6680a30b89e4035e6/.github/workflows/publish.yaml#L19-L22

Dependabot has created a few PRs to update this file, but at this point we have the following security warnings but no dependabot PR resolving it.

I figured I’d try to update the versions of yarn.lock by deleting it and letting the python setup.py sdist bdist_wheel command recreate it for me. But, that caused an error.

python setup.py sdist bdist_wheel   
/home/erik/dev/contrib/jupyterhub/jupyter-server-proxy/setup.py:55: DeprecatedWarning: create_cmdclass is deprecated as of 0.8 and will be removed in 1.0. "
Use `wrap_installers` to handle prebuild steps in cmdclass.
Use `get_data_files` to handle data files.
Use `include_package_data=True` and `MANIFEST.in` for package data.

  cmdclass = create_cmdclass(
/home/erik/dev/contrib/jupyterhub/jupyter-server-proxy/setup.py:60: DeprecatedWarning: install_npm is deprecated as of 0.8 and will be removed in 1.0. Use `npm_builder` and `wrap_installers`
  install_npm(HERE / "jupyterlab-server-proxy", build_cmd="build:prod", npm=["jlpm"]),
running sdist
running jsdeps
Installing build dependencies with npm.  This may take a while...
> jlpm install
yarn install v1.21.1
info No lockfile found.
[1/4] Resolving packages...
warning @jupyterlab/application > @jupyterlab/apputils > url > querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
warning @jupyterlab/application > @jupyterlab/ui-components > @blueprintjs/core > popper.js@1.16.1: You can find the new Popper v2 at @popperjs/core, this package is dedicated to the legacy v1
warning @jupyterlab/application > @jupyterlab/ui-components > @blueprintjs/core > react-popper > popper.js@1.16.1: You can find the new Popper v2 at @popperjs/core, this package is dedicated to the legacy v1
warning @jupyterlab/builder > @jupyterlab/buildutils > crypto@1.0.1: This package is no longer supported. It's now a built-in Node module. If you've depended on crypto, you should switch to the one that's built-in.
warning @jupyterlab/builder > @jupyterlab/buildutils > verdaccio > request@2.88.0: request has been deprecated, see https://github.com/request/request/issues/3142
warning @jupyterlab/builder > @jupyterlab/buildutils > verdaccio > @verdaccio/readme > jsdom > request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
warning @jupyterlab/builder > @jupyterlab/buildutils > verdaccio > request > har-validator@5.1.5: this library is no longer supported
warning @jupyterlab/builder > @jupyterlab/buildutils > verdaccio > @verdaccio/readme > jsdom > request > har-validator@5.1.5: this library is no longer supported
warning @jupyterlab/builder > @jupyterlab/buildutils > verdaccio > request > uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
warning @jupyterlab/builder > @jupyterlab/buildutils > verdaccio > @verdaccio/readme > jsdom > request > uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
warning @jupyterlab/builder > @jupyterlab/buildutils > verdaccio > @verdaccio/readme > jsdom > request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
[2/4] Fetching packages...
[3/4] Linking dependencies...
warning "@jupyterlab/application > @jupyterlab/ui-components@3.2.4" has unmet peer dependency "react@^17.0.1".
warning "@jupyterlab/application > @lumino/coreutils@1.11.1" has unmet peer dependency "crypto@1.0.1".
warning "@jupyterlab/application > @jupyterlab/rendermime > @jupyterlab/codemirror > y-codemirror@3.0.1" has unmet peer dependency "yjs@^13.5.17".
warning "@jupyterlab/builder > @jupyterlab/buildutils > verdaccio > clipanion@3.1.0" has unmet peer dependency "typanion@*".
warning Workspaces can only be enabled in private projects.
warning Workspaces can only be enabled in private projects.
[4/4] Building fresh packages...
⠁ 
⠁ 
error /home/erik/dev/contrib/jupyterhub/jupyter-server-proxy/jupyterlab-server-proxy/node_modules/yjs: Command failed.
Exit code: 1
Command: node ./sponsor-y.js
Arguments: 
Directory: /home/erik/dev/contrib/jupyterhub/jupyter-server-proxy/jupyterlab-server-proxy/node_modules/yjs
Output:
internal/modules/cjs/loader.js:1174
      throw new ERR_REQUIRE_ESM(filename, parentPath, packageJsonPath);
      ^

Error [ERR_REQUIRE_ESM]: Must use import to load ES Module: /home/erik/dev/contrib/jupyterhub/jupyter-server-proxy/jupyterlab-server-proxy/node_modules/yjs/sponsor-y.js
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1174:13)
    at Module.load (internal/modules/cjs/loader.js:1002:32)
    at Function.Module._load (internal/modules/cjs/loader.js:901:14)
    at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:74:12)
    at internal/main/run_main_module.js:18:47 {
  code: 'ERR_REQUIRE_ESM'


Traceback (most recent call last):
  File "/home/erik/dev/contrib/jupyterhub/jupyter-server-proxy/setup.py", line 139, in <module>
    setuptools.setup(**setup_args)
  File "/home/erik/miniforge3/lib/python3.9/site-packages/setuptools/__init__.py", line 153, in setup
    return distutils.core.setup(**attrs)
  File "/home/erik/miniforge3/lib/python3.9/distutils/core.py", line 148, in setup
    dist.run_commands()
  File "/home/erik/miniforge3/lib/python3.9/distutils/dist.py", line 966, in run_commands
    self.run_command(cmd)
  File "/home/erik/miniforge3/lib/python3.9/distutils/dist.py", line 985, in run_command
    cmd_obj.run()
  File "/home/erik/miniforge3/lib/python3.9/site-packages/jupyter_packaging/setupbase.py", line 640, in run
    [self.run_command(cmd) for cmd in cmds]
  File "/home/erik/miniforge3/lib/python3.9/site-packages/jupyter_packaging/setupbase.py", line 640, in <listcomp>
    [self.run_command(cmd) for cmd in cmds]
  File "/home/erik/miniforge3/lib/python3.9/distutils/cmd.py", line 313, in run_command
    self.distribution.run_command(command)
  File "/home/erik/miniforge3/lib/python3.9/distutils/dist.py", line 985, in run_command
    cmd_obj.run()
  File "/home/erik/miniforge3/lib/python3.9/site-packages/jupyter_packaging/setupbase.py", line 321, in run
    c.run()
  File "/home/erik/miniforge3/lib/python3.9/site-packages/jupyter_packaging/setupbase.py", line 615, in run
    builder()
  File "/home/erik/miniforge3/lib/python3.9/site-packages/jupyter_packaging/setupbase.py", line 212, in builder
    run(npm_cmd + ['install'], cwd=node_package)
  File "/home/erik/miniforge3/lib/python3.9/site-packages/jupyter_packaging/setupbase.py", line 275, in run
    return subprocess.check_call(cmd, **kwargs)
  File "/home/erik/miniforge3/lib/python3.9/subprocess.py", line 373, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['/home/erik/miniforge3/bin/jlpm', 'install']' returned non-zero exit status 1.

I’d like to bump the dependencies in yarn.lock before we cut a release, so that we get rid of the security warnings. Any suggestions on how to go about this? I’m not experienced enough with the npm/yarn/jlpm tooling to know quickly what to do about this.