Remove lodash?

[danielnixon]

Lodash has an open security vuln and shows signs of being borderline unmaintained.

Repro

1. Install typescript-eslint/eslint-plugin
2. Check your Snyk report (e.g. https://snyk.io/test/github/danielnixon/eslint-plugin-total-functions?targetFile=package.json)
3. Or run yarn audit / npm audit

Expected Result

No security vuln reported

Actual Result

Lodash security vuln reported

Additional Info

It looks like typescript-estree only uses lodash once, for unescape. unescape happens to be tiny and unlikely to evolve over time: https://github.com/lodash/lodash/blob/4.17.11/lodash.js#L15145

I'd be happy to raise a PR to inline unescape (or maybe replace it with https://www.npmjs.com/package/he or something) and remove the lodash dependency.

Versions

Latest

[bradzacher]

Sure - happy to inline it if you want.
TBH I'm not even sure if this is required - I don't know what this check even does:

typescript-eslint/packages/typescript-estree/src/convert.ts

Lines 1917 to 1919 in 682eb7e

	} else {
	result.value = unescapeStringLiteralText(node.text);
	}

Maybe we don't even need to inline it and can just delete it altogether? Unsure.
Worth having a play around with - happy to accept a PR!

[dman777]

I second that request to remove lodash bloat

[papb]

I think 'borderline unmaintained' is very exaggerated. He is just looking for new maintainers to help.

[danielnixon]

I think 'borderline unmaintained' is very exaggerated.

Perhaps, but

• Vuln reported Oct 11 2019
• Publicly disclosed Apr 27/28 2020
• Fix published July 8 2020

seems to me like an intolerable timeline whatever you call it.

See also https://github.com/lodash/lodash/issues/4738#issuecomment-629698149 which I tend to agree with.

[JoshuaKGoldberg]

@danielnixon still planning on sending a PR for this? I can if not!

[danielnixon]

Please go for it @JoshuaKGoldberg

[JoshuaKGoldberg]

Fun fact: typescript-eslint actually uses two lodash members: memoize and unescape. I thought about this more, and a few thoughts against removing lodash come to mind:

• IMO there's still benefit to the "lodash ideology" of using the same stable functions & high quality docs across projects. Why bother recreating those methods internally when they're already available & well-documented?
• Lodash is already a transitive dependency many times over in yarn.lock, so removing it from direct usage does very little.

Consider this to be me "unassigning" myself from this issue, as much as a non-maintainer random contributor can. 😉

[danielnixon]

memoize is in eslint-plugin-tslint which will hopefully die off one day so I didn't consider it a priority for this ticket (just typescript-estree here).

Your other points are good. 👍 🤔

[dman777]

IMO there's still benefit to the "lodash ideology" of using the same stable functions & high quality docs across projects. Why bother recreating those methods internally when they're already available & well-documented?

The same applies to native JS and more so because JS is on everything and anything JS while lodash is not.

[bradzacher]

In the next release, typescript-estree will no longer have a dependency on lodash, thanks to @armano2.

[bradzacher]

There is still memoize in eslint-plugin-tslint

And in the interim one usage has been introduced into eslint-plugin (iirc this was due to a util from eslint that was inlined)

typescript-eslint/packages/eslint-plugin/src/util/astUtils.ts

Line 2 in f606846

import escapeRegExp from 'lodash/escapeRegExp';