> Be chad lodash dev
> new security vulnerability discovered in April
> low
> virgin devs ask to fix https://github.com/lodash/lodash/...
> giving no shit, because lodash stronk https://github.com/lodash/lodash/...
> fast forward now
> NPM lists lodash as vulnerability, because no fix
> 1000s of downstream projects affected
> https://github.com/lodash/lodash/...
> surprised pikachu face

Got to love this comment https://github.com/lodash/lodash/...

Lodash is the new jQuery, a steaming pile of shit people choose because they want to use .map / .each across legacy platforms. Next thing you know, whole codebase is full of pointless calls to lodash functions for things most browsers support since 5 years ago.

Totally agree @Hitko. My team only uses it because some Legacy Code which no one wants to touch

This is what happens when devs are unable to pull out their heads out of their asses. Hundreds of thousands dependencies affected and its not a priority issue of them. Fucking disgrace. But well what do they care, in the end they can always say fuck it its opensource and were not getting paid for it.

@zemaitis So what would the alternative be? No open source and having to build everything yourself?

Yet another example that shows how careless JDalton is in regards to the security of the tools he maintains.

Echoing what @hitko said, why would anyone in 2020 use lodash (or even underscore) when a good chunk of the provided methods are natively available (and **faster** than lodash)?

For those interested in the native vs lodash stuff, have a look at https://github.com/goldbergyoni/...

I warned someone here a few days ago they should get off lodash due to it serving no real purpose anymore. Didn't realize it had gone that far down the toilet though.

Someone needs to get rid of this guy's ownership of Lodash.

@pdinklaedch Alternative would be if ur opensource became too big or u cant manage it then find someone else who can take care of it instead of letting it die slowly.

@zemaitis In case of lodash dying slowly is probably for the best - it's a library which served a specific purpose at specific point in time, and no amount of maintainers can change the fact that it's over.