Totally remove lodash #1247

JbIPS · 2024-07-22T21:52:35Z

Replace lodash functions by ESNext style functions or by deepmerge-ts (lighter and more maintened)

w666 · 2024-07-23T06:44:32Z

pnpm-lock.yaml

We use npm, please remove this file and run npm install so package-lock is in sync.

Sorry I missed that. It's fixed

`deepmerge-ts` seems to have an [issue](RebeccaStevens/deepmerge-ts#488) with a type file. Skipping lib check in `tsconfig.json` ([doc](https://www.typescriptlang.org/tsconfig/#skipLibCheck)) works around that and will increase compile time without drawbacks.

w666 · 2024-08-02T07:28:17Z

Seems like tests do not quite work.

w666 · 2024-08-17T04:25:49Z

src/client.ts

@@ -368,7 +367,7 @@ export class Client extends EventEmitter {
        if (!output || !output.$lookupTypes) {
          debug('Response element is not present. Unable to convert response xml to json.');
          //  If the response is JSON then return it as-is.
-          const json = _.isObject(body) ? body : tryJSONparse(body);
+          const json = body !== null && typeof body === 'object' ? body : tryJSONparse(body);


body can be undefined, should be something like

const json = body && typeof body === 'object' ? body : tryJSONparse(body);

w666 · 2024-08-20T07:42:38Z

I was thinking about this change and don't see any benefits in removing lodash. While it was not updated for 4 years, seems like version 5 will be released at some point.

After my recent changes node-soap does not contain any vulnerabilities.

If you have different point of view ii I happy to discuss it.

JbIPS · 2024-08-20T18:18:57Z

I will update this PR after summer break.

Concerning the why, I have 2 reasons to remove this kind of dependency:

It can be considered as "unmaintained" after 4 years, and I personally doubt it will have a rebirth. The discovery of a vuln seems bound to happen
Most of the useful functions are now in the standard API
The package weight 1.41MB and you're just cherry-picking a few functions

I understand those are very opinionated reasons and I'll understand if you do not wish to remove it.

w666 · 2024-08-21T07:37:53Z

Hi @JbIPS,

Okay, happy to discuss proposed solution.

w666 · 2024-10-22T09:29:24Z

I had another look on it ... that is not that easy, deepmerge-ts is not enough. Some stuff can be replaced with native JS features, but not all. Too much work to replace what works just fine.

Totally remove lodash

d5538d0

Replace lodash functions by ESNext style functions or by deepmerge-ts (lighter and more maintened)

w666 self-requested a review July 23, 2024 06:41

w666 reviewed Jul 23, 2024

View reviewed changes

JbIPS added 2 commits July 23, 2024 09:26

Fix lock file

189fff6

w666 reviewed Aug 20, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Totally remove lodash #1247

Totally remove lodash #1247

JbIPS commented Jul 22, 2024

w666 Jul 23, 2024

JbIPS Jul 23, 2024

w666 commented Aug 2, 2024

w666 Aug 17, 2024

w666 commented Aug 20, 2024

JbIPS commented Aug 20, 2024

w666 commented Aug 21, 2024

w666 commented Oct 22, 2024

Totally remove lodash #1247

Are you sure you want to change the base?

Totally remove lodash #1247

Conversation

JbIPS commented Jul 22, 2024

w666 Jul 23, 2024

Choose a reason for hiding this comment

JbIPS Jul 23, 2024

Choose a reason for hiding this comment

w666 commented Aug 2, 2024

w666 Aug 17, 2024

Choose a reason for hiding this comment

w666 commented Aug 20, 2024

JbIPS commented Aug 20, 2024

w666 commented Aug 21, 2024

w666 commented Oct 22, 2024