lodash version is too low

[yoli799480165]

                   === npm audit security report ===


                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Low Prototype Pollution

Package lodash

Patched in >=4.17.5

Dependency of cordova-custom-config

Path cordova-custom-config >
bc1b0c8409a659a2aa60420bf1c2bf81eef80c3fc2c68d008bd66894d9e…
> xmlbuilder > lodash

More info https://nodesecurity.io/advisories/577

found 1 low severity vulnerability in 3804 scanned packages
1 vulnerability requires manual review. See the full report for details.

[dpa99c]

I would argue this detected vulnerability is irrelevant: the node modules used by this plugin are used in the context of the offline Cordova build process (as opposed to being in an online environment, e.g. in website JS) and therefore the opportunity for a malicious 3rd party script to exploit the referenced vulnerability would be pointless.

Additionally, the specified low version of lodash is not directly referenced by this plugin, which references ^4.3.0 but indirectly deep down in its dependency tree:

+-- cordova-custom-config@4.0.2
| +-- lodash@4.17.4
| +-- plist@1.2.0
| | +-- base64-js@0.0.8
| | +-- util-deprecate@1.0.2
| | +-- xmlbuilder@4.0.0
| | | `-- lodash@3.10.1

This forked version of plist is explicitly referenced and cannot be updated due to an unresolved bug in the versions released to npm - see here.