Add CVE-2019-1010266/node-lodash

Marked it as unimportant, even it is supported now in buster onwards
security-wise. The reason behind this marking is that the fixed version
is anyway the one in buster and for stretch and earlier it would
otherwise be marked no-dsa anyway. Given another issue which was fixed
in the same upstream version tracked earlier opted to mark both issues
in sync.