Commitlint uses "exact" dependency versions

[Artoria2e5]

Some commitlint subpackages use "exact" dependency versions, i.e. those of the form "chalk": "3.0.0", instead of the "caret" form which allows for upgrading within a major version that are compatible under semver, the pervasive versioning system in Node. This is bad for several reasons:

• It causes unnecessary downloads when users have some other packages that depend on a newer, compatible version
• It complicates security upgrades: several references to lodash are still locked at an exact-resolution to a version vulnerable to prototype pollution, whereas a caret notation will allow the package manager to take a newer one on install
• It makes other upgrades harder too: because of the exact nature of these definitions, a "dependency bot" is required to continuously bump the version spec so that people will use them, even when commitlint is using none of the new features.

Affected packages

• cli
• core
• prompt
• config-angular

Possible Solution

Replace all semver dependency versions with one starting with a caret ^.

[escapedcat]

Relates to #840. There's a PR for lodash already in that issue.

[marionebl]

We are slowly moving towards caret ranges for most dependencies.