chore: put latest lodash version explicitly to devDependencies

[valdemon]

test: description now doesn't return promise as required by latest jest version.

WORK IN PROGRES - please don't merge yet

... as we'll still get the security alerts because of nodejs/node-gyp#1718.

The node-gyp@3.8.1 release is planned ~10-th of May.

[codecov]

Codecov Report

Merging #34 into development will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           development    #34   +/-   ##
==========================================
  Coverage          100%   100%           
==========================================
  Files               17     17           
  Lines              401    401           
  Branches            75     75           
==========================================
  Hits               401    401

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e40bb67...d14dbdc. Read the comment docs.

[vsetka]

Just an FYI, you can now create (since February) draft pull requests so PRs that are still in progress don't accidentally get merged. Scroll to the bottom heret: https://help.github.com/en/articles/creating-a-pull-request.

[valdemon]

Still on this because of npm/cli#198 and then a dependency chain:
semantic-release > @semantic-release/npm > npm > npm-lifecycle > node-gyp > fstream

[valdemon]

The good in bad is that all this mess concerns the devDependencies only, so - there are no security issues in the runtime context.