Bump download dependency

[sebek64]

Current version doesn't honor strict-ssl option, causing a lot of trouble for users behind a proxy. For example, imagemin/optipng-bin#74. The fix is in 5 branch here kevva/download@559a6f5, but this project uses version 4.

[alexander-akait]

/cc @kevva it is possible to upgrade download to latest version? Also it is avoid security problem using npm audit

[coreyfarrell]

I just looked into upgrading to the latest download version. One test which downloads two tarballs and an uncompress JS file shows a change in behaviour. In download@4 the 'extract' option meant 'try to extract', for download@>=5 nothing is returned when the file is not compressed (no error or data is returned). I'm not sure if the solution is for download to fix it's handling of decompress so it returns the original file if it's not compressed, or if the test should be updated to expect non-compressed files to fail.

[jookshub]

As mentioned in the reference, due to node version restrictions with got there is a mismatch for the engines requirement >=6 should be >=6 <=7 or got needs to be updated.

[rejas]

PR for this bump is in #65