Replace generic lodash deps with more specific lodash.x deps
#12004
-
|
Trying to run a recent expo with babel project shows quite a few audit errors related to a security issue in lodash. Example: https://www.npmjs.com/advisories/1523 affects Now I am wondering if it would be a good idea to replace all the unspecific babel/packages/babel-types/package.json Line 20 in eea156b to be replaced with: "lodash.isplainobject": "^4.0.6",
"lodash.isregexp": "^4.0.1"and subsequently replace babel/packages/babel-types/src/converters/valueToNode.js Lines 2 to 3 in eea156b with import isPlainObject from "lodash.isplainobject";
import isRegExp from "lodash.isregexp"; This way any security audit issues that come up only show if they are relevant and likely the amount of packages loaded should be reduced. Would it be a good idea to send PR's that replace all this? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
|
Was already raised. |
Beta Was this translation helpful? Give feedback.
-
|
Oh Cool! I thought I looked for it properly, but its awesome to hear. |
Beta Was this translation helpful? Give feedback.
-
|
@martinheidegger also, FWIW, the package.json you linked to from babel-types is actually out of date: https://github.com/babel/babel/blob/main/packages/babel-types/package.json#L20 |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for pointing that out. I was really just trying to see what the sentiment is around the topic and if I can help but you are hard at work on it, and I am sorry to have disturbed you. Thanks for the answers and the good work! |
Beta Was this translation helpful? Give feedback.
-
|
@martinheidegger there is absolutely no need to apologize! we appreciate you looking into this! |
Beta Was this translation helpful? Give feedback.
Was already raised.
lodash.*packages are deprecated and gonna be removed in lodash v5.https://github.com/babel/babel/pulls?q=is%3Apr+is%3Aopen+lodash