Lodash 4.17.20 has a reported vulnerability addressed in version 4.17.21, however, as a result of explicitly requiring 4.17.20 in Dyson, we can't effectively address the vulnerability.

Would you be against having all of the packages have the appropriate semantic modifiers?

Good idea, I've just published v4 (major bump because of Node.js v10).

Thank you!