Bumps underscore.string to 3.3.5

[claudiopro]

Summary

Updates underscore.string to v3.3.5 to mitigate ReDoS vulnerability tracked by esamattis/underscore.string#510

Test Plan

cd website
yarn
yarn start

[facebook-github-bot]

@claudiopro has imported this pull request. If you are a Facebook employee, you can view this diff on Phabricator.

[yangshun]

I just tried this same approach in Docusaurus 1 core but underscore.string@2.4.0 still remains.

=> Found "remarkable#underscore.string@2.4.0"
info Reasons this module exists
   - "_project_#docusaurus#remarkable#argparse" depends on it
   - Hoisted from "_project_#docusaurus#remarkable#argparse#underscore.string"
info Disk size without dependencies: "76KB"
info Disk size with unique dependencies: "76KB"
info Disk size with transitive dependencies: "76KB"
info Number of shared dependencies: 0

I'm not sure if explicitly bumping underscore.string will help at all. remarkable depends on a very old (pre 1.0.0) version of argparse (argparse": "~0.1.15" in its package.json) and we can't get rid of underscore.string unless remarkable upgrades.

[JoelMarcey]

Is that an issue we can file at https://github.com/jonschlinkert/remarkable re: upgrading?

[claudiopro]

@JoelMarcey we should, but the fact that a PR to fix a ReDoS vulnerability has not been responded for two months doesn't give me much hope

I tried to DM Jon on Twitter but he hasn't replied yet 😞

[claudiopro]

This is tracked by jonschlinkert/remarkable#310 and addressed by jonschlinkert/remarkable#323

[yangshun]

@claudiopro I think we can close this issue now that we've moved the website to Docusaurus 2