nerror icon indicating copy to clipboard operation
nerror copied to clipboard
verified publisher icon Netflix

refactor: replace lodash with lodash.iserror

Open erisu opened this issue 4 years ago • 0 comments

Issue

Lodash is one of those packages that seems to have reoccuring reports for vulnerabilities. We are also loading an entire lodash library for only one method.

As it appears that nerror isnt updated frequently, we should try to not rely on a package that might lead to reoccuring vulnerabilities as we might need to constantly monitoring and updating if they decided to stop pushing updates to older releases.

Solution

IMO, it would be safer to install the specific lodash export module for the isError method. Out of the entire lodash pacakge, we only use the isError method.

In this case, we can install the lodash.iserror package instead of lodash. This will potential reduce the possibility of seeing a vulnerability.

As an additional bonus, using lodash.iserror package will also greatly reduce the size of the install.

lodash:

npm notice package size:  319.0 kB
npm notice unpacked size: 1.4 MB

lodash.iserror:

npm notice package size:  2.2 kB
npm notice unpacked size: 4.4 kB

erisu avatar Oct 11 '21 13:10 erisu