v3.x fix: remove deprecated lodash per-method packages for vulnerability fixes #80
Conversation
… and have reported vulnerabilities: https://lodash.com/per-method-packages
|
✋ The patch is possible, it will also remove the diff from the 4.0 PR. Good point!
It will also be very appreciated 🙏 |
folkvir
added
enhancement
dependencies
|
Thank you @folkvir , I did the updates as you suggested, but the only concern was that the linter is reporting a wrong error on direct ES module imports (e.g.,
It seems to be an issue with the older version of |
|
Just add the diff --git a/package.json b/package.json
index d772555..7544c4d 100644
--- a/package.json
+++ b/package.json
@@ -120,7 +120,8 @@
"./src"
],
"tryExtensions": [
- ".ts"
+ ".ts",
+ ".js"
]
}
}, |
|
Done. That fixed it. Thanks! |
|
Released: https://github.com/Callidon/bloom-filters/releases/tag/v3.0.4 |
This PR applies a similar fix to #78, but specifically for version
3.0.3of the library, which is compatible with Node.js v12+.We are using this reliable library in the
@splitsoftware/splitiopackage and need to maintain compatibility with v3 in order to support Node.js v14 and above. Since the upcoming v4 release will drop support for Node.js versions below v20, staying on v3 is important for us.We would appreciate a new patch version (
3.0.4) that includes this fix, to avoid some misleading vulnerability alerts related to deprecated lodash per-method packages, such aslodash.eqandlodash.indexof, which are sometimes flagged by security analysis tools.If a patch release is not possible, please let us know, so we can consider an alternative approach, such as releasing a new temporary NPM package until we can migrate to v4. However, we believe this would be a valuable update for other users who might still be using older versions of Node.js.
Thanks in advance,