The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
srouce: https://nvd.nist.gov/vuln/detail/CVE-2021-23358
p.s
I did quick tests and it appears that replacing it with Underscore.js 1.13.6 doesn't seem to cause any damage.
Console/src/Spe/sitecore modules/PowerShell/Scripts/ace/emmet-core/emmet.js
Line 1 in 8943f11
srouce: https://nvd.nist.gov/vuln/detail/CVE-2021-23358
p.s
I did quick tests and it appears that replacing it with
Underscore.js 1.13.6doesn't seem to cause any damage.