Security alert for lodash dependancy version

Question

Security alert for lodash dependancy version

KlapTrap opened this issue 5 years ago · comments

See https://app.snyk.io/test/npm/ngrx-store-localstorage/7.0.0 for the report.

David Burke · Answer 1 · Sat May 25 2019 22:13:37 GMT+0800 (China Standard Time)

Related issue. championswimmer/vuex-persist#114

Ideally we'd just not use lodash at all. But implementing a deep merge function is not trivial. I looked at lodash-es but it requires a lot of complicated webpack set up to get any actual benefit. Open to suggestions here.

David Burke · Answer 2 · Mon May 27 2019 22:13:25 GMT+0800 (China Standard Time)

I recommend we solve this by switching to deepmerge instead. However this would require testing and validation from the community.

David Burke · Answer 3 · Wed May 29 2019 03:53:52 GMT+0800 (China Standard Time)

@KlapTrap would you be interested in trying out the deepmerge branch and verifying it works as expected? I'd like as much review on this as possible.

Nathan · Answer 4 · Wed Jun 19 2019 17:27:39 GMT+0800 (China Standard Time)

@bufke Sorry for the late reply. Thanks for look into this. We've been using https://github.com/cf-stratos/ngrx-store-localstorage/tree/lodash-dep-update as a temporary work around. I'll look into switching to the deep merge branch today and get back to you asap.

David Burke · Answer 5 · Thu Jul 25 2019 22:04:14 GMT+0800 (China Standard Time)

Fixed in 8.0