Describe the bug

underscore.js has a security announcement ( CVE-2021-23358 ) for arbitrary code execution. Unfortunately this is fixed in underscore 1.12.1, but Sphinx-4.0.1 is still on 1.12.0.

refs: https://groups.google.com/g/sphinx-users/c/0ukmuNwtNqM

To Reproduce
N/A

Expected behavior
Upgrade it to the latest one.

Your project
N/A

Screenshots
N.A

Environment info
N/A