Add event-stream as a dep and lock it (security issue) (#739)

As identified in dominictarr/event-stream#116, `event-stream` has a major security issue (malware injection) in version 3.3.6 (thanks to `flatmap-stream` version 0.1.1). `event-stream` 3.3.6 is referenced as a child dep in this project, through `tsc-watch` and `vscode-apollo` / `vscode`.

![screenshot 2018-11-26 13 53 19](https://user-images.githubusercontent.com/137740/49037391-18e04f80-f188-11e8-9eeb-f26f88c372ab.png)

This commit adds `event-stream` as a top level dependency, and locks it to the most recent version that excludes `flatmap-stream` (version 3.3.4).

This should work for now, but ultimately `tsc-watch` and `vscode` should be updated to newer versions, that address this issue (since their child deps are the problem). Both projects have yet to submit fixes to this problem.

Author: hwillson

package-lock.json

@@ -42,6 +42,7 @@
     "apollo-codegen-typescript": "file:packages/apollo-codegen-typescript",
     "apollo-env": "file:packages/apollo-env",
     "apollo-language-server": "file:packages/apollo-language-server",
+    "event-stream": "=3.3.4",
     "vscode-apollo": "file:packages/vscode-apollo",
     "webpack-command": "^0.4.1"
   },