Update dependency underscore to 1.12.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change
underscore	1.8.3 -> 1.12.1
underscore	1.9.1 -> 1.12.1

GitHub Vulnerability Alerts

CVE-2021-23358

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[confused-Techie]

So this PR is only bumping the versions in a few packages package-lock.json files, which are not used on Pulsar (To my knowledge).

So this doesn't actually change anything for Pulsar users.

Additionally each package had the following:

• autocomplete-plus: underscore-plus: ^1.6.6
• bracket-matcher: underscore-plus: 1.x
• keybinding-resolver: underscore-plus: No Direct Dependency
• open-on-github: underscore-plus No Direct Dependency
• settings-view: underscore-plus: ^1.0.6

With that said, then underscore-plus uses ^1.10.2.

All that said meaning that when any one of these packages is installed underscore-plus should install the newest minor version of underscore which currently would be 1.13.6. Meaning all of these others packages in the newest Pulsar versions should be installing a version much higher than what's listed here.

But there's no reason not to install this newer version in the package-lock.json.

Lastly tests are right were we would expect:

• find-and-replace: ✅ 42 Failures - Expected
• settings-view: ✅ 2 Failures - Expected
• symbols-view: ✅ 2 Failures - Expected
• tree-view: ✅ 2 Failures - Expected

With that said, tests are happy, the user impact is minimal if not zero, and it's a security bump, I say lets merge

[confused-Techie]

Correction: I've hit the rebase checkmark about a dozen times the past few days due to merge conflicts, and it wouldn't do anything. So I had to fix the merge conflict manually. Which once tests are happy I'll go ahead and merge this one.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

[confused-Techie]

Alright, as this PR is only effecting lock files, and the changes present should already be available to users, as well as all tests passing, I'll go ahead and merge this one.