[0.5.x] Migrate to lodash-es #62
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Drafting until @timacdonald can review. |
timacdonald
changed the title
timacdonald
approved these changes
Jan 23, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request represents a significant enhancement to our project's dependency management and security posture. We are transitioning from using individual lodash packages to the unified lodash package. This change is motivated by two primary factors: the discontinuation of maintenance for individual lodash modules and a critical security vulnerability in lodash.set.
Key changes:
Unified Lodash Package: All individual lodash packages (lodash.*) are replaced with the single, comprehensive lodash package. This consolidation simplifies dependency management and ensures we are using the most up-to-date and supported version of lodash.
Security lodash.set: The individual lodash.set package currently utilized in our project has a known prototype pollution vulnerability (CWE-1321). By switching to the unified lodash package, we address this security issue, as the latest version of lodash has resolved this vulnerability.
Scope:
reactpackage for now