Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No longer maintained per method packages of lodash used as dependencies of our dependencies? #641

Closed
joshtrichards opened this issue Feb 29, 2024 · 1 comment
Closed

No longer maintained per method packages of lodash used as dependencies of our dependencies? #641

joshtrichards opened this issue Feb 29, 2024 · 1 comment

Comments

@joshtrichards
Copy link

With the caveat that this is not my area of expertise so I basically have no real idea what I'm talking about...

lodash deprecated the use of per method packages a long time ago:

As a result, they have been abandoned and have not received the same security updates and fixes as lodash / lodash-es

It appears we have various dependencies that depend on these per method packages. As a result we may be bringing along unmaintained versions of these lodash per method packages, even though we've updated the main lodash package.

Example

While this looks fine:

nextcloud-axios/package-lock.json

Lines 6197 to 6201 in b545847

"node_modules/lodash": {
"version": "4.17.21",
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
"integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
"dev": true

These look like dead packages (and there are other similar examples in some of our other libraries):

nextcloud-axios/package-lock.json

Lines 6203 to 6221 in b545847

"node_modules/lodash.get": {
"version": "4.4.2",
"resolved": "https://registry.npmjs.org/lodash.get/-/lodash.get-4.4.2.tgz",
"integrity": "sha512-z+Uw/vLuy6gQe8cfaFWD7p0wVv8fJl3mbzXh33RS+0oW2wvUqiRXiQ69gLWSLpgB5/6sU+r6BlQR0MBILadqTQ==",
"dev": true
},
"node_modules/lodash.isequal": {
"version": "4.5.0",
"resolved": "https://registry.npmjs.org/lodash.isequal/-/lodash.isequal-4.5.0.tgz",
"integrity": "sha512-pDo3lu8Jhfjqls6GkMgpahsF9kCyayhgykjyLMNFTKWrpVdAQtYyB4muAMWozBB4ig/dtWAmsMxLEI8wuz+DYQ==",
"dev": true
},
"node_modules/lodash.merge": {
"version": "4.6.2",
"resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.2.tgz",
"integrity": "sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==",
"dev": true,
"peer": true
},

Most - all I think - of these are the result of dependencies that depend on these per method modules of lodash.

Since this isn't about overriding versions, but about wanting to change the dependency of our dependencies, what are our options here?

I'm not sure how this gets handled since this is not my aware of expertise at all (also means I may be misunderstanding how dependencies are being managed).

P.S. This came up while researching nextcloud/server#43894
@susnux
Copy link
Contributor

susnux commented Mar 1, 2024

We only can fix this in the using app by defining alias for the module resolution, BUT this might introduce nasty issues.

So the best way is to tell this upstream on the dependencies that they need to migrate.

@susnux susnux closed this as not planned Won't fix, can't repro, duplicate, stale Aug 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joshtrichards @susnux