spectral-core: lodash.toPath security vulnerabilities?

[W0nderMuffin]

Hey there is there any reason for using lodash.topath 4.5.2 despite newer lodash version is included in the spectral-core package?

...
    "lodash": "~4.17.21",
    "lodash.topath": "^4.5.2",
...

Blackduck detects that the lodash.topath dependency has some critical security findings because the version is lower than 4.17.21:

https://nvd.nist.gov/vuln/detail/CVE-2018-16487
https://nvd.nist.gov/vuln/detail/CVE-2018-3721
https://nvd.nist.gov/vuln/detail/CVE-2019-10744
https://nvd.nist.gov/vuln/detail/CVE-2019-1010266
https://nvd.nist.gov/vuln/detail/CVE-2020-8203
https://nvd.nist.gov/vuln/detail/CVE-2020-28500
https://nvd.nist.gov/vuln/detail/CVE-2021-23337

Best regards

[mnaumanali94]

We need to see if removing this dependency (lodash.topath) breaks something. If not, we can remove it and get rid of this vulnerability