No longer maintained per method packages of lodash used as dependencies of our dependencies?

[joshtrichards]

With the caveat that this is not my area of expertise so I basically have no real idea what I'm talking about...

lodash deprecated the use of per method packages a long time ago:

• deprecate modular build packages? lodash/lodash#3838
• https://lodash.com/per-method-packages
• Wrong version in lodash.pick vulnerability report CVE-2020-8203 lodash/lodash#5809 (comment)

As a result, they have been abandoned and have not received the same security updates and fixes as lodash / lodash-es

It appears we have various dependencies that depend on these per method packages. As a result we may be bringing along unmaintained versions of these lodash per method packages, even though we've updated the main lodash package.

Example

While this looks fine:

nextcloud-axios/package-lock.json

Lines 6197 to 6201 in b545847

	"node_modules/lodash": {
	"version": "4.17.21",
	"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
	"integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
	"dev": true

These look like dead packages (and there are other similar examples in some of our other libraries):

nextcloud-axios/package-lock.json

Lines 6203 to 6221 in b545847

	"node_modules/lodash.get": {
	"version": "4.4.2",
	"resolved": "https://registry.npmjs.org/lodash.get/-/lodash.get-4.4.2.tgz",
	"integrity": "sha512-z+Uw/vLuy6gQe8cfaFWD7p0wVv8fJl3mbzXh33RS+0oW2wvUqiRXiQ69gLWSLpgB5/6sU+r6BlQR0MBILadqTQ==",
	"dev": true
	},
	"node_modules/lodash.isequal": {
	"version": "4.5.0",
	"resolved": "https://registry.npmjs.org/lodash.isequal/-/lodash.isequal-4.5.0.tgz",
	"integrity": "sha512-pDo3lu8Jhfjqls6GkMgpahsF9kCyayhgykjyLMNFTKWrpVdAQtYyB4muAMWozBB4ig/dtWAmsMxLEI8wuz+DYQ==",
	"dev": true
	},
	"node_modules/lodash.merge": {
	"version": "4.6.2",
	"resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.2.tgz",
	"integrity": "sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==",
	"dev": true,
	"peer": true
	},

Most - all I think - of these are the result of dependencies that depend on these per method modules of lodash.

Since this isn't about overriding versions, but about wanting to change the dependency of our dependencies, what are our options here?

I'm not sure how this gets handled since this is not my aware of expertise at all (also means I may be misunderstanding how dependencies are being managed).

P.S. This came up while researching nextcloud/server#43894

[susnux]

We only can fix this in the using app by defining alias for the module resolution, BUT this might introduce nasty issues.

So the best way is to tell this upstream on the dependencies that they need to migrate.