Via github alerts,
kartotherian/server depends on lodash < 4.17.11 which is impacted by CVE CVE-2018-16487.
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
kartotherian/server depends on cached-path-relative < 1.0.2 which is impacted by CVE CVE-2018-16472.
A prototype pollution attack in cached-path-relative versions <=1.0.1 allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain causing a DoS attack.