Security audit fails because of hosted-git-info vulnerability

[mlarente]

The npm security audit fails because of a hosted-git-info vulnerability. This is a dependency through the read-pkg-up package. The latest version of read-pkg-up doesn't depend on the vulnerable package.

[ljharb]

We can never upgrade read-pkg-up, because it drops support for node versions we must support.

See #2047 which seeks to remove the dep altogether.

Duplicate of #2046.