Replace gulp-download with gulp-download-stream

[metters]

gulp-download has not been updated since 9 years! It contains gulp-util, which has been deprecated.

I looked for alternatives and believe that gulp-download-stream is sufficient.

• The dependency is currently still maintained (last published 4 months ago)
• From the documented usage in the README-file the behaviour seems to be the same as the other dependency

gulp-util contains dependencies, which might contain security issues (I am no expert!)

Replacing this indeed removes a lot of lodash dependencies and npm install shows that the change removes one critical issue: Before found 20 vulnerabilities (7 low, 3 moderate, 9 high, 1 critical) After found 19 vulnerabilities (7 low, 3 moderate, 9 high)

[metters]

This change originates from a dependabot alert:

# Prototype Pollution in lodash
The latest possible version that can be installed is 3.6.2 because of the following conflicting dependency:

`gulp-download@0.0.1 requires lodash.template@^3.0.0 via a transitive dependency on gulp-util@3.0.8`

The earliest fixed version is 4.5.0.

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Recommendation

Update to version 4.17.12 or later.

[probberechts]

These vulnerabilites are not an issue, since you would only run the gulp scripts locally. Nevertheless, I agree it is better to use dependencies that are maintained. Thanks for the PR!