Current version of ws dependency is vulnerable

[G-Rath]

lighthouse is currently depending on exactly version 3.3.2 of ws, which is both out of date by a couple of majors and has a security vulnerability: https://npmjs.com/advisories/1748

It would be great if we could get this version bumped (ideally as a minor or patch version if possible), and the constraint relaxed to allow pulling in patch versions.

The min version that this would need to be lifted to for this advisory is v5 (released a few hours ago, so the advisory isn't yet updated with that), but the latest is v7:

Breaking changes for v7:

• Dropped support for Node.js 6 (1e6999b).
• Dropped support for url.Url instances in the WebSocket constructor
  (692d7b4).
• The behavior of WebSocket#{p{i,o}ng,send}() has changed when the
  readyState attribute is not OPEN (AMP and PWA how to run separate tests? #1532)
  • If the readyState attribute is CONNECTING, an exception is thrown.
  • If the readyState attribute is CLOSING or CLOSED
    • The bufferedAmount attribute is increased by the length of the data
      argument in bytes.
    • If provided, the callback function is called with an error.
    • No exception is thrown even if the callback function is not provided.

Breaking changes for v6:

• Dropped support for Node.js 4 (d73885c).
• Added a shim that throws an error when used if the package is bundled for the
  browser (Extension Error: Failed to construct 'URL': Invalid URL #1345).
• Added a maxPayload option on the client. Defaults to 100 MiB (Extension Error: Failed to construct 'URL': Invalid URL #1402).
• Dropped support for the memLevel and level options. Use
  zlibDeflateOptions instead. (80e2002).

Breaking changes for v5:

• Dropped support for Node.js < 4.5.0 (Extension Error: Failed to construct 'URL': Invalid URL #1313).
• The connection is no longer closed if the server does not agree to any of
  the client's requested subprotocols (Extension Error: Failed to construct 'URL': Invalid URL #1312).
• net.Socket errors are no longer re-emitted (a4050db).

Breaking changes for v4:

• The close status code is now set to 1005 if the received close frame contains
  no status code (a31b1f6).
• Error messages and types have been updated (695c5ea).
• The onerror event handler now receives an ErrorEvent instead of JavaScript
  error (63e275e).
• The third argument of WebSocket.prototype.ping() and
  WebSocket.prototype.pong() is no longer a boolean but an optional callback
  (30c9f71).
• The non-standard protocolVersion and bytesReceived attributes have been
  removed (30c9f71...ee9b5f3).
• The extensions attribute is no longer an object but a string representing
  the extensions selected by the server (fdec524).
• The 'headers' event on the client has been renamed to 'upgrade'. Listeners
  of this event now receive only the response argument (1c783c2).
• The WebSocket.prototype.pause() and WebSocket.prototype.resume() methods
  have been removed to prevent the user from interfering with the state of the
  underlying net.Socket stream (a206e98).