26

> Be chad lodash dev
> new security vulnerability discovered in April
> low
> virgin devs ask to fix https://github.com/lodash/lodash/...
> giving no shit, because lodash stronk https://github.com/lodash/lodash/...
> fast forward now
> NPM lists lodash as vulnerability, because no fix
> 1000s of downstream projects affected
> https://github.com/lodash/lodash/...
> surprised pikachu face

Comments
  • 4
  • 6
    Lodash is the new jQuery, a steaming pile of shit people choose because they want to use .map / .each across legacy platforms. Next thing you know, whole codebase is full of pointless calls to lodash functions for things most browsers support since 5 years ago.
  • 0
    Totally agree @Hitko. My team only uses it because some Legacy Code which no one wants to touch
  • 4
    This is what happens when devs are unable to pull out their heads out of their asses. Hundreds of thousands dependencies affected and its not a priority issue of them. Fucking disgrace. But well what do they care, in the end they can always say fuck it its opensource and were not getting paid for it.
  • 0
    @zemaitis So what would the alternative be? No open source and having to build everything yourself?
  • 4
    Yet another example that shows how careless JDalton is in regards to the security of the tools he maintains.

    Echoing what @hitko said, why would anyone in 2020 use lodash (or even underscore) when a good chunk of the provided methods are natively available (and **faster** than lodash)?

    For those interested in the native vs lodash stuff, have a look at https://github.com/goldbergyoni/...
  • 7
    I warned someone here a few days ago they should get off lodash due to it serving no real purpose anymore. Didn't realize it had gone that far down the toilet though.
  • 3
    Someone needs to get rid of this guy's ownership of Lodash.
  • 2
    @pdinklaedch Alternative would be if ur opensource became too big or u cant manage it then find someone else who can take care of it instead of letting it die slowly.
  • 3
    @zemaitis In case of lodash dying slowly is probably for the best - it's a library which served a specific purpose at specific point in time, and no amount of maintainers can change the fact that it's over.
Add Comment