-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
lodash is redundant #95
Comments
What if we installed the individual lodash dependencies? So instead of this: var _ = require('lodash')
_.isArray(foo)
_.isObject(bar) ...we'd do this: var isArray = require('lodash.isarray')
var isObject = require('lodash.isobject')
isArray(foo)
isObject(bar) Thanks for pointing this out! |
This has nothing to do with what I said. |
I think we can remove lodash. Looking through the code it seems to me that lodash are only used for The Object deep copy are only used once. That can be pulled into a separate function in Helmet instead. There is also one usage of For the My suggestion is to use the core-util-is module for the "is" checks and keep a inhouse version of the Object deep copy and remove lodash. If this sounds OK I'll gladly provide a PR for these changes. |
Well, if |
Talking about size; I think its also possible to remove the dependency to |
|
I don't think we should write things like I agree that requiring all of Lodash is probably overkill. We can just require the bits and pieces that we need. While that's not the same as "only include Lodash once," I think it solves the underlying problem. As far as Connect goes, we don't need it. We just need something that can "concatenate" a bunch of middlewares together. We could likely use something like Async's What do you think? |
The above PR use the same Yes; they are a tiny bit simpler than the lodash checks but are the very tiny amount of corner cases really an issue? I don't think so. Agree that the connect question are a separate issue. |
Looking at the deep copy in csp; is a deep copy really needed? From what I can see, the Object being cloned is quite flat. |
Closing this in favor of helmetjs/csp#12. |
This removes Lodash from CSP also: helmetjs/csp#13 |
Thanks @hdf for bringing this up and @trygve-lie for the PRs! I released |
Thanks for pulling the PRs and releasing this fast :-) |
lodash
is required by bothhelmet-csp
andhsts
. It is a fairly big dependency, that is installed twice. If it was set as a directhelmet
requirement, than it would only be installed once (theoretically). Currently helmet is larger than express because of this, which is ridiculous.The text was updated successfully, but these errors were encountered: