Skip to content

Remove lodash? #2279

New issue
New issue
Closed
#3478
Closed
Remove lodash?#2279
#3478
Labels
dependenciesIssue about dependencies of the packagehelp wantedExtra attention is neededpackage: typescript-estreeIssues related to @typescript-eslint/typescript-estree
@danielnixon

Description

@danielnixon
danielnixon
opened on Jul 7, 2020

Lodash has an open security vuln and shows signs of being borderline unmaintained.

Repro

  1. Install typescript-eslint/eslint-plugin
  2. Check your Snyk report (e.g. https://snyk.io/test/github/danielnixon/eslint-plugin-total-functions?targetFile=package.json)
  3. Or run yarn audit / npm audit

Expected Result

No security vuln reported

Actual Result

Lodash security vuln reported

Additional Info

It looks like typescript-estree only uses lodash once, for unescape. unescape happens to be tiny and unlikely to evolve over time: https://github.com/lodash/lodash/blob/4.17.11/lodash.js#L15145

I'd be happy to raise a PR to inline unescape (or maybe replace it with https://www.npmjs.com/package/he or something) and remove the lodash dependency.

Versions

Latest

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesIssue about dependencies of the packagehelp wantedExtra attention is neededpackage: typescript-estreeIssues related to @typescript-eslint/typescript-estree

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions