bump micromatch version to remove snapdragon

[shogunpurple]

Bumping micromatch dependency - as there's a vuln in one of its sub deps (snapdragon). The author has removed snapdragon functionality altogether, so bumping to the latest should solve the vuln.

Changelog here between 3 and 4:

## [4.0.0] - 2019-03-20

### Added

- Adds support for `options.onMatch`. See the readme for details
- Adds support for `options.onIgnore`. See the readme for details
- Adds support for `options.onResult`. See the readme for details


### Breaking changes

- Require Node.js >= 8.6
- Removed support for passing an array of brace patterns to `micromatch.braces()`.
- To strictly enforce closing brackets (for `{`, `[`, and `(`), you must now use `strictBrackets=true` instead of `strictErrors`.
- `cache` - caching and all related options and methods have been removed
- `options.unixify` was renamed to `options.windows`
- `options.nodupes` Was removed. Duplicates are always removed by default. You can override this with custom behavior by using the `onMatch`, `onResult` and `onIgnore` functions.
- `options.snapdragon` was removed, as snapdragon is no longer used.
- `options.sourcemap` was removed, as snapdragon is no longer used, which provided sourcemap support.

Nothing jumps out as risky given our usage.