I've gotten notice from github that one of my packages has a security alert, please see: https://github.com/ekkis/js-prototype-lib/network/alerts
the thing though is my package has no dependencies. it has a developer dependency on mocha for the test suite but not on the offending package lodash
so how do I address this?
the answer seems to be npm audit fix