diff --git a/1.9.1.tar.gz b/1.9.1.tar.gz
deleted file mode 100644
index 6eccaf7cbb23daf43e002913ce8f39859a517e4c..0000000000000000000000000000000000000000
Binary files a/1.9.1.tar.gz and /dev/null differ
diff --git a/CVE-2021-23358.patch b/CVE-2021-23358.patch
deleted file mode 100644
index 9f99808edd1a6dbad677f5ed10d956921d47bdff..0000000000000000000000000000000000000000
--- a/CVE-2021-23358.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 4c73526d43838ad6ab43a6134728776632adeb66 Mon Sep 17 00:00:00 2001
-From: Julian Gonggrijp <dev@juliangonggrijp.com>
-Date: Sat, 13 Mar 2021 22:38:44 +0100
-Subject: [PATCH] Fix #2911
-
----
- underscore.js         | 23 +++++++++++++++++++----
- 1 files changed, 20 insertions(+), 4 deletions(-)
-
-diff --git a/underscore.js b/underscore.js
-index 3af6352e6..798eda091 100644
---- a/underscore.js
-+++ b/underscore.js
-@@ -1550,6 +1550,13 @@
-     return '\\' + escapes[match];
-   };
- 
-+  // In order to prevent third-party code injection through
-+  // `_.templateSettings.variable`, we test it against the following regular
-+  // expression. It is intentionally a bit more liberal than just matching valid
-+  // identifiers, but still prevents possible loopholes through defaults or
-+  // destructuring assignment.
-+  var bareIdentifier = /^\s*(\w|\$)+\s*$/;
-+
-   // JavaScript micro-templating, similar to John Resig's implementation.
-   // Underscore templating handles arbitrary delimiters, preserves whitespace,
-   // and correctly escapes quotes within interpolated code.
-@@ -1585,8 +1592,17 @@
-     });
-     source += "';\n";
- 
--    // If a variable is not specified, place data values in local scope.
--    if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n';
-+    var argument = settings.variable;
-+    if (argument) {
-+      // Insure against third-party code injection.
-+      if (!bareIdentifier.test(argument)) throw new Error(
-+        'variable is not a bare identifier: ' + argument
-+      );
-+    } else {
-+      // If a variable is not specified, place data values in local scope.
-+      source = 'with(obj||{}){\n' + source + '}\n';
-+      argument = 'obj';
-+    }
- 
-     source = "var __t,__p='',__j=Array.prototype.join," +
-       "print=function(){__p+=__j.call(arguments,'');};\n" +
-@@ -1594,7 +1610,7 @@
- 
-     var render;
-     try {
--      render = new Function(settings.variable || 'obj', '_', source);
-+      render = new Function(argument, '_', source);
-     } catch (e) {
-       e.source = source;
-       throw e;
-@@ -1605,7 +1621,6 @@
-     };
- 
-     // Provide the compiled source as a convenience for precompilation.
--    var argument = settings.variable || 'obj';
-     template.source = 'function(' + argument + '){\n' + source + '}';
- 
-     return template;
diff --git a/nodejs-underscore.spec b/nodejs-underscore.spec
index f38e73ffab7a62f478b5ccfdb6844012045fb90c..3ac2a0cf3d8d89ef3941544e03bffde5366398da 100644
--- a/nodejs-underscore.spec
+++ b/nodejs-underscore.spec
@@ -2,13 +2,12 @@
 %global enable_tests 0
 %global installdir  %{_jsdir}/underscore
 Name:                nodejs-underscore
-Version:             1.9.1
-Release:             2
+Version:             1.13.6
+Release:             1
 Summary:             JavaScript's functional programming helper library
 License:             MIT
 URL:                 http://github.com/jashkenas/underscore
-Source0:             http://github.com/jashkenas/underscore/archive/%{version}.tar.gz
-Patch0000:           CVE-2021-23358.patch
+Source0:             https://github.com/jashkenas/underscore/archive/%{version}/underscore-%{version}.tar.gz
 BuildArch:           noarch
 ExclusiveArch:       %{nodejs_arches} noarch
 BuildRequires:       web-assets-devel
@@ -32,18 +31,17 @@ extending any core JavaScript objects.
 
 %prep
 %autosetup -n underscore-%{version}
-rm -f underscore-min.*
 
 %build
-/usr/bin/uglifyjs underscore.js -m --source-map underscore-min.map \
-    -o underscore-min.js
+/usr/bin/uglifyjs underscore.js -m --source-map -o underscore-min.js
 
 %install
 mkdir -p %{buildroot}%{nodejs_sitelib}/underscore
-cp -pr package.json underscore.js underscore-min.js underscore-min.map \
+cp -pr package.json underscore*.js underscore*.cjs underscore*.map \
     %{buildroot}%{nodejs_sitelib}/underscore
+
 mkdir -p %{buildroot}%{installdir}
-cp -pr underscore.js underscore-min.js underscore-min.map \
+cp -pr underscore.js underscore-min.js underscore-min.js.map \
     %{buildroot}%{installdir}
 %if 0%{?enable_tests}
 
@@ -62,6 +60,9 @@ cp -pr underscore.js underscore-min.js underscore-min.map \
 %{installdir}
 
 %changelog
+* Mon Oct 30 2023 wulei <wu_lei@hoperun.com> - 1.13.6-1
+- Update to 1.13.6
+
 * Fri Apr 16 2021 wangxiao <wangxiao65@huawei.com> - 1.9.1-2
 - Fix CVE-2021-23358
 
diff --git a/underscore-1.13.6.tar.gz b/underscore-1.13.6.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..56a348f9e7c5d03fcd2fdeb8f4f67a4508be2951
Binary files /dev/null and b/underscore-1.13.6.tar.gz differ