Remove Lodash as dependency #19205
Comments
|
But why has the CVE been retracted? Doesn't that mean it was no security issue after all? It's very difficult to piece together some information from a bunch of deleted issues. |
|
We've discussed this before. Just removing the inclusion of these Cypress utilities. We removed We'd be open to considering this - there would need to be docs and migration guides to guide people on replacement similar to moment had. Probably a MUCH bigger PR and more affecting breaking changes for lodash removal though. |
jennifer-shehane
added
the
type: breaking change
|
I am all for having more bundled libraries, but if anyone is looking to
include their own, here is my recipe
https://cypresstips.substack.com/p/cypressramda
On the personal note, love Lodash
…On Thu, Dec 2, 2021 at 3:26 PM Jennifer Shehane ***@***.***> wrote:
We've discussed this before. Just removing the inclusion of these Cypress
utilities. We removed Cypress.moment() for example and the reasoning was,
people can just include whatever they'd like themselves.
We'd be open to considering this - there would need to be docs and
migration guides to guide people on replacement similar to moment had.
Probably a MUCH bigger PR and more affecting breaking changes for lodash
removal though.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#19205 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAQ4BJXF4VOPGH2I4TZPYITUO7I7LANCNFSM5JIAFXWA>
.
--
Dr. Gleb Bahmutov, PhD
Schedule video chat / phone call / meeting with me via
https://calendly.com/bahmutov
***@***.*** @bahmutov ***@***.***>
https://glebbahmutov.com/ https://glebbahmutov.com/blog
https://github.com/bahmutov
|
I don't know. All the reactions are removed. And that is exactly the issue.
I think I don't like the CVEs: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Lodash |
|
Several of those CVEs are not even about lodash, they simply mention it. The lodash list of CVEs is admirably small considering how widely it is used. As for this particular CVE, the archived ticket clearly explains why it is not a vulnerability. The template is controlled by the developer, the user data filling the template is a separate thing and not exploitable. |
|
My point is that there are hiding security discussions. It really not OK we should search in web archives for finding a reason why some things are disputed. |
|
This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided. |
|
I think this request is still valid |
nagash77
added
type: feature
What would you like?
Remove lodash as a dependency.
Why is this needed?
Those guys don't take security seriously. See for example CVE-2021-41720
Other
No response
The text was updated successfully, but these errors were encountered: