Update lodash and remove prototype vulnerabilities

[cheesestringer]

Fixes: #2574 by removing prototype vulnerabilities for:

https://ossindex.sonatype.org/component/pkg:npm/lodash.assign

https://ossindex.sonatype.org/component/pkg:npm/lodash.clonedeep

https://ossindex.sonatype.org/component/pkg:npm/lodash.mergewith

[nschonni]

I don't believe this is needed #2574 (comment)

[cheesestringer]

There is nothing to update to since these were separate packages. Since then it looks like it has gone back to a single package you import from.

https://www.npmjs.com/package/lodash.assign (2 years old)
https://www.npmjs.com/package/lodash.clonedeep (2 years old)
https://www.npmjs.com/package/lodash.mergewith (almost 2 years old)

[xzyfer]

Weird this didn't build in Travis

[nschonni]

@xzyfer may be related to this https://developer.github.com/changes/2018-04-25-github-services-deprecation/
We still have the "old" integration setup, so you might need to add the "app" version instead. Might be the same for AppVeyor that also didn't trigger

[cheesestringer]

A build ran 15 minutes ago for a pr that was closed 13 days ago but had lodash in the title.

https://travis-ci.org/sass/node-sass/builds/476774889

[nschonni]

Yeah, that was me hitting restart, not realizing it was an old PR and not this one

[xzyfer]

We can't migrate just yet

The following repositories cannot be migrated to travis-ci.com at this time because they are currently active on our legacy platform travis-ci.org. This feature will be available shortly. Please read our docs on open source migration to learn more.

I think it was just a dodgy webhook. Please try to rebase on master to kick off a new one.

[cheesestringer]

Nothing to rebase against so I amended the commit message.

[xzyfer]

Travis CI is now running but failing due to lodash dependencies. Please investigate.

[cheesestringer]

All good now, needed a capital on cloneDeep and mergeWith import.

[xzyfer]

Thanks

[stof]

is there any ETA for a release including that change ?