lodash has been reported to be vulnerable to the so called prototype pollution attack in versions up to (excluding) 4.17.5 See https://nvd.nist.gov/vuln/detail/CVE-2018-3721
Now lodash is the most depended upon package in the JavaScript eco system. The impact is that almost every at least mid-scale project has gazillions of different lodash dependencies and sub-dependencies in different versions included (run npm ls | grep lodash in a JS project of your choice to see for yourself). Now it will take lots and lots of effort and a lot of time to contribute to all of the open source projects that use lodash in version < 4.17.5.
Please explain, how can this vulnerability be used by attackers and what would be the right way to deal with this issue in a large scale frontend that has A LOT of production dependencies using lodash.
