Narrow dependency_validator range to avoid NNBD issue

[sourcegraph-wk]

We recently discovered that if a package resolves to dependency_validator >=3.0.0
and build_config <1.0.0, running the dependency_validator tool will fail
during precompilation due to null safety.

We are merging a fix to dependency_validator, but unfortunately it won't
prevent consumers from resolving to the v3.x versions that still have the
issue. This PR addresses the issue for consumers by narrowing the range to
no longer include dependency_validator v3.

Note: We originally widened this range as a part of the effort to upgrade
our ecosystem to analyzer v1, but it is not strictly necessary. Consumers
of dependency_validator v2 can still successfully resolve to analyzer v1.

For more info, reach out to #support-frontend-architecture on Slack.

Created by Sourcegraph batch change Workiva/narrow_dependency_validator_range.

[aviary-wf]

Security Insights

(2) Vulnerable direct dependencies were detected

1 vulns in ansi-regex < 4.1.1 via yarn.lock

1 vulns in glob-parent < 5.1.2 via yarn.lock

Action Items

• Review dependencies for available updates
• See this Splunk dashboard for more CVE details
• Review PR for security impact; comment "security review required" if needed or unsure
• Verify aviary.yaml coverage of security relevant code

---

Questions or Comments? Reach out on Slack: #support-infosec.

[evanweible-wf]

Since this package is far enough upstream, we're able to upgrade to v3.2.2 which is the version with the fix for the NNBD issue. The rest of the dependency upgrades here are only for dev dependencies, which mean they don't impact downstream consumers.

[aaronlademann-wf]

+1

[kimlarson-wk]

QA+1

[kimlarson-wk]

@Workiva/release-management-pp ready for merge.

[rmconsole-wf]

+1 from RM