node-soap icon indicating copy to clipboard operation
node-soap copied to clipboard
verified publisher icon vpulim

Totally remove lodash

Open JbIPS opened this issue 1 year ago • 6 comments

Replace lodash functions by ESNext style functions or by deepmerge-ts (lighter and more maintened)

JbIPS avatar Jul 22 '24 21:07 JbIPS

Seems like tests do not quite work.

w666 avatar Aug 02 '24 07:08 w666

I was thinking about this change and don't see any benefits in removing lodash. While it was not updated for 4 years, seems like version 5 will be released at some point.

After my recent changes node-soap does not contain any vulnerabilities.

If you have different point of view ii I happy to discuss it.

w666 avatar Aug 20 '24 07:08 w666

I will update this PR after summer break.

Concerning the why, I have 2 reasons to remove this kind of dependency:

  • It can be considered as "unmaintained" after 4 years, and I personally doubt it will have a rebirth. The discovery of a vuln seems bound to happen
  • Most of the useful functions are now in the standard API
  • The package weight 1.41MB and you're just cherry-picking a few functions

I understand those are very opinionated reasons and I'll understand if you do not wish to remove it.

JbIPS avatar Aug 20 '24 18:08 JbIPS

Hi @JbIPS,

Okay, happy to discuss proposed solution.

w666 avatar Aug 21 '24 07:08 w666

I had another look on it ... that is not that easy, deepmerge-ts is not enough. Some stuff can be replaced with native JS features, but not all. Too much work to replace what works just fine.

w666 avatar Oct 22 '24 09:10 w666

Prior work on this: #1122

smokhov avatar Jun 18 '25 21:06 smokhov