[Question] Getting rid of lodash-es@4.17.20

Question

[Question] Getting rid of lodash-es@4.17.20

somuda86 opened this issue 4 years ago · 5 comments

I believe and I noticed there was some effort around removing lodash-es and I see it has been removed. Does the latest release compatible with angular 9?

Answer 1 · 2021-02-23T10:31:10.000Z

I'm have not tested this, but would guess that there are some issues. The 9.0.3 version of the tree still has lodash-es in version 4.17.15 as a dependency. We can update this to 4.17.20 and release it as a new version. Would a new version help or do you need lodash-es do be gone completely?

Answer 2 · 2021-02-23T15:08:28.000Z

Because of a fix for the virtual scroll we also updated older versions of the tree. In that update I added also the lodash-es update. So in the new version 9.0.4 there are two new bugfixes for virtual scroll and also the update for lodash-es to version 4.17.20.

Answer 3 · 2021-02-23T17:36:00.000Z

lodash 4.17.20 wont solve the security issue. I request you to upgrade to 4.17.21. @tobiasengelhardt

Answer 4 · 2021-02-23T17:39:40.000Z

@tobiasengelhardt I am sorry I should have commented earlier. But 9.0.4 has security issues as lodash 4.17.20 has to CWE issues. I am afraid you may have cut a new release with lodash-es 4.17.21. https://snyk.io/vuln/npm:lodash@4.17.20

Answer 5 · 2021-02-26T08:52:21.000Z

There is now version 9.0.5 available with lodash-es 4.17.21. There will also be a 10.0.4 version with the same update. If there are new lodash issues in the future just open a new issue and we will update lodash again.