Lodash prototype pollution vulnerability #217
Description
https://snyk.io/blog/snyk-research-team-discovers-severe-prototype-pollution-security-vulnerabilities-affecting-all-versions-of-lodash/
It seems the last version of grunt-contrib-compress requires :
"archiver": "^1.3.0" (inturn dependent on async which is using lodash "^4.17.11")
"lodash": "^4.7.0"
Unfortunately, these packages have a dependency of lodash vulnerable versions. Lodash version 4.17.11 has a prototype pollution vulnerability (as described in the https://github.com/lodash/lodash/wiki/Changelog#v41712) fixed at version 4.17.12.
I'm just creating the issue to notify this fact and request a dependency update when the dependent packages are ready