Consider stopping using `lodash`?

[s100]

There is a prototype pollution vulnerability in lodash, which lodash's maintainers seem not to be acting on. My suggestion is that moving away from lodash entirely might be an expedient way to resolve this.

Related, previously: #5, #171

[panva]

openid-client does not utilize the method in question and is therefore not affected. Nevertheless, removing lodash is something I’d support driving a PR forward for if you’re offering putting the time into it.