fix(connector-fabric): vulnerability cve-2020-7788

[petermetz]

Describe the bug

Dependabot cannot update ini to a non-vulnerable version
The latest possible version of ini that can be installed is 1.3.5.

The earliest fixed version is 1.3.6.

Learn more about troubleshooting Dependabot errors.

1 ini vulnerability found in …/cactus-plugin-ledger-connector-fabric/package-lock.json 27 days ago
Remediation
Upgrade ini to version 1.3.6 or later. For example:

"dependencies": {
  "ini": ">=1.3.6"
}

or…

"devDependencies": {
  "ini": ">=1.3.6"
}

Always verify the validity and compatibility of suggestions with your codebase.

Details
CVE-2020-7788
low severity
Vulnerable versions: < 1.3.6
Patched version: 1.3.6
Overview
The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Patches
This has been patched in 1.3.6

To Reproduce

https://github.com/hyperledger/cactus/security/dependabot/packages/cactus-plugin-ledger-connector-fabric/package-lock.json/ini/open

Steps to reproduce
payload.ini

[proto]
polluted = "polluted"
poc.js:

var fs = require('fs')
var ini = require('ini')

var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)

> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted

Expected behavior

No security warnings/errors.

cc: @takeutak @sfuji822 @hartm @jonathan-m-hamilton @AzaharaC @jordigiam @kikoncuo