install of surge results in deprecations and vulnerabilities

[johndeighan]

$ cd test

johnd@RazerBlade MINGW64 ~/test
$ npm install surge
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

added 112 packages in 10s

4 packages are looking for funding
  run `npm fund` for details

johnd@RazerBlade MINGW64 ~/test
$ npm audit
# npm audit report

minimist  1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install surge@0.9.0, which is a breaking change
node_modules/minimist
  surge  >=0.1.0
  Depends on vulnerable versions of minimist
  Depends on vulnerable versions of request
  node_modules/surge

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
fix available via `npm audit fix --force`
Will install surge@0.9.0, which is a breaking change
node_modules/request

3 vulnerabilities (1 moderate, 2 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force

However, even using npm audit fix --force did not clear up the critical vulnerabilities

[balupton]

I use surge to deploy the documentation for the @bevry packages, this has caused all the bevry pakages to be marked as insecure.

[balupton]

dupe of #472