fix(srcclr): Update package-lock.json to satisfy SourceClear

[nchilada]

Summary

SourceClear seems to install lodash@4.17.10 per our package-lock.json, rather than installing lodash@4.17.11 (the latest) as they might if installing directly via npm. Update package-lock.json to mitigate this.

Preserve "lodash": "^4.0.0" in package.json so that our customers remain free to control their lodash subdependencies.

Issues

• OASIS-4112

[nchilada]

@mikeng13 @spencerwilson-optimizely @mjc1283 does this seem reasonable?

Or should we specify a more recent version of lodash in our package.json? That would make it easier for our customers to install the latest (and presumably safer) subdependency, with the caveats that this would marginally bloat their node_modules/ and would not really make sense unless we were to continually re-release our package with latest dependencies.

[coveralls]

Coverage remained the same at 97.468% when pulling 3caa5c0 on nikhil/lodash into dcead1e on master.

[nchilada]

I've confirmed that this works

[spencerwilson-optimizely]

Your understanding of how things work sounds totally accurate to me. This change only affects places that install deps based on package-lock.json--i.e., where people run npm install with local clone of the package source (e.g., local dev machines, CI).

[nchilada]

Thanks @spencerwilson-optimizely! Yeah, the remaining question is whether we should be doing more and ensuring that we always use a secure version of lodash when installed as a dependency. Presumably we haven't cared in the past, given that we only specify ^4.0.0.

The challenge, of course, is that we'd have to keep re-releasing if our philosophy is to pin to secure packages.

That's a gnarly problem so I'm just going to merge this change for now!