Fix `yarn version` command

b778c9ad refactored the Makefile and
removed the `all` target. This target was still referenced by
package.json however.

Bump gulp-sass from 3.2.1 to 4.0.2

Bumps [gulp-sass](https://github.com/dlmanning/gulp-sass) from 3.2.1 to 4.0.2.
- [Release notes](https://github.com/dlmanning/gulp-sass/releases)
- [Changelog](https://github.com/dlmanning/gulp-sass/blob/master/CHANGELOG.md)
- [Commits](https://github.com/dlmanning/gulp-sass/compare/v3.2.1...v4.0.2)
Signed-off-by: dependabot[bot] <support@dependabot.com>

Bump redux-thunk from 2.2.0 to 2.3.0

[Security] Bump cached-path-relative from 1.0.1 to 1.0.2

Bump gulp-postcss from 6.4.0 to 8.0.0

[Security] Bump stringstream from 0.0.5 to 0.0.6

Bump vinyl from 1.2.0 to 2.2.0

Bumps [gulp-postcss](https://github.com/postcss/gulp-postcss) from 6.4.0 to 8.0.0.
- [Release notes](https://github.com/postcss/gulp-postcss/releases)
- [Commits](https://github.com/postcss/gulp-postcss/compare/6.4.0...8.0.0)
Signed-off-by: dependabot[bot] <support@dependabot.com>

Bumps [stringstream](https://github.com/mhart/StringStream) from 0.0.5 to 0.0.6. **This update includes security fixes.**
- [Release notes](https://github.com/mhart/StringStream/releases)
- [Commits](https://github.com/mhart/StringStream/compare/v0.0.5...v0.0.6)
Signed-off-by: dependabot[bot] <support@dependabot.com>

Bumps [redux-thunk](https://github.com/reduxjs/redux-thunk) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/reduxjs/redux-thunk/releases)
- [Commits](https://github.com/reduxjs/redux-thunk/compare/v2.2.0...v2.3.0)
Signed-off-by: dependabot[bot] <support@dependabot.com>

Bumps [vinyl](https://github.com/gulpjs/vinyl) from 1.2.0 to 2.2.0.
- [Release notes](https://github.com/gulpjs/vinyl/releases)
- [Commits](https://github.com/gulpjs/vinyl/compare/v1.2.0...v2.2.0)
Signed-off-by: dependabot[bot] <support@dependabot.com>

Bumps [cached-path-relative](https://github.com/ashaffer/cached-path-relative) from 1.0.1 to 1.0.2. **This update includes security fixes.**
- [Release notes](https://github.com/ashaffer/cached-path-relative/releases)
- [Changelog](https://github.com/ashaffer/cached-path-relative/blob/master/History.md)
- [Commits](https://github.com/ashaffer/cached-path-relative/commits)
Signed-off-by: dependabot[bot] <support@dependabot.com>

Update AngularJS to 1.7.x

Upgrade to gulp 4

In Angular 1.6 the behavior where inputs to components ("bindings")
were accessible in the controller's constructor was deprecated [1] but a
switch was made available to re-enable the old behavior to assist migration.
This switch has been removed in Angular 1.7, so we need to stop relying
on it before we can upgrade.

The correct thing to do is to put all init logic which accesses bindings
(`this.someBindingName`) in the `$onInit` lifecycle method.

This commit makes the minimal amount of changes to enable the app and
tests to run without requiring pre-assigned bindings.

[1] https://toddmotto.com/angular-1-6-is-here

This should make future maintenance easier since Gulp v4 has better
documentation [1], more checks for incorrect usage and a simpler API for
expressing what should run in parallel vs sequentially during build
steps. This also eliminates a bunch of old transitive dependencies that
gulp v3 had, which sometimes caused problems (eg. with Node upgrades).

Changes required:

 - Make sure `gulp.task` functions return a value, so Gulp knows when
   the task is finished
 - `gulp.watch` now requires a function rather than a task name
 - Task no longer support a list of dependencies but need a task
   function. Dependencies are expressed using `gulp.series` or
   `gulp.parallel` to compose other functions
 - Give several functions names so that there are fewer `<anonymous>
   {starting, finished}` messages in log output.

[1] https://gulpjs.com/docs/en/api/concepts

Refactor Makefile

Refactor Makefile to be the same as for our other projects:

    $ make help
    make help              Show this help message
    make dev               Run the app in the development server
    make lint              Run the code linter(s) and print any warnings
    make test              Run the unit tests
    make docs              Build docs website and serve it locally
    make checkdocs         Crash if building the docs website fails
    make clean             Delete development artefacts (cached files,
                           dependencies, etc)

Other make commands that our other projects have but the client doesn't
yet:

`make shell` -- Not relevant to the client? (Unless we can get a useful
JavaScript shell in the terminal.)

`make sql` -- Not relevant.

`make format` and `checkformatting` -- We can't use Black code
formatting for the client of course but maybe we could use Prettier or
something else. (Our Python apps could also be extended to have `make
format` format the JavaScript code as well.)

`make coverage` and `codecov` -- Print the unit test coverage report to
the terminal, and post it to codecov. These should be doable?

Ignore invalid URLs in `<link>` and `<meta>` tags

Fix selection of annotations when bucket bar indicators are clicked

Delete only invalid highlight when anchor has multiple highlights

Websites may put unparseable URLs in `<link>` and `<meta>` tags [1]. We
could choose to preserve the URL string as-is (which
`HTMLLinkElement#href` does for example) or not include it at all. I've
opted to skip over such URLs to make life easier for code consuming the
parsed links as it can rely on them being parseable as URLs.

[1] https://github.com/hypothesis/product-backlog/issues/742

Instead of modifying the `<head>` of the document which is shared with
all other tests, create a new temporary document fragment and populate
that for each test.

This isolates these tests from each other and from unrelated tests.

Clean up `DocumentMeta#_getLinks` by removing several unnecessary variables and
narrowing the scope of several others.

In the process, avoid trying to normalize the URIs for `<link>` elements
which are going to be ignored anyway because of their `rel` values.

As a side effect this should fix https://github.com/hypothesis/lms/issues/375
because the `<link>` elements shown in https://github.com/hypothesis/lms/issues/375#issuecomment-444637947
will never get parsed. This doesn't close that issue because invalid
URIs could still occur in the remaining `<link>` tags which are parsed.

A typo, `annotator` instead of `@annotator`, caused this functionality
to break when `window.annotator` (which was the same object as
`@annotator`) was removed in 0033f774.

Correct the typo and add tests. The tests operate at the DOM level so
they should be easy to adapt if the BucketBar implementation is
rewritten or changed substantially in future.

Fixes https://github.com/hypothesis/product-backlog/issues/704

Support groupids in `groups` config setting

Co-Authored-By: seanh <seanh@users.noreply.github.com>

Although the list of groups to be shown (the service setting `groups`)
to identify groups using either their `groupid` or their `id` (pubid).
Previously only pubids worked. Supporting groupids makes the LMS app's
job a lot simpler.

Hide non-applicable tutorial steps for third party users

Hide steps in the sidebar tutorial which are not available to
third-party users. It is expected that the conditions under which these
actions are available may change in future, but they will still be
unavailable in at least some contexts.

Fixes https://github.com/hypothesis/product-backlog/issues/842