[🐸 Frogbot] Update version of lodash to 4.17.21

[github-actions]

📦 Vulnerable Dependencies

Severity	ID	Contextual Analysis	Direct Dependencies	Impacted Dependency	Fixed Versions
Critical	CVE-2019-10744	Applicable	lodash:4.17.11	lodash 4.17.11	[4.17.12]

🔖 Details

Vulnerability Details

Jfrog Research Severity:	High
Contextual Analysis:	Applicable
Direct Dependencies:	lodash:4.17.11
Impacted Dependency:	lodash:4.17.11
Fixed Versions:	[4.17.12]
CVSS V3:	9.1

Insufficient input validation in lodash defaultsDeep() leads to prototype pollution.

🔬 JFrog Research Details

Description:
lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

The function defaultsDeep was found to be vulnerable to prototype pollution, when accepting arbitrary source objects from untrusted input

Example of code vulnerable to this issue -

const lodash = require('lodash'); 
const evilsrc = {constructor: {prototype: {evilkey: "evilvalue"}}};
lodash.defaultsDeep({}, evilsrc)

Remediation:

Development mitigations

Add the Object.freeze(Object.prototype); directive once at the beginning of your main JS source code file (ex. index.js), preferably after all your require directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.

---

🐸 JFrog Frogbot