-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reduce the usage of lodash (round 2) #145
Reduce the usage of lodash (round 2) #145
Conversation
Only function I could not re-write was defaults-deep. I moved the function to a utils folder, so we can remove it in the near future
I could not completly remove lodash, need help with 2 function calls: - stream.js --> _.get --> _.defaultsDeep
Maybe this can solve the CI issue?
It was depreceated and not maintained anymore: https://github.com/defunctzombie/zuul#readme
@addaleax I'm fighting with this one 😳 Do you know what this install error from Github Actions could indicate? |
I think the issues could be related to the pre-commit package, that did not get updates for 6 years 🤯. Is this package/pattern with a pre-commit something you would like to keep, or should I remove it? |
I think we want to keep it – generally, most of the @mongodb-js org’s repositories have this in one form or another. You could maybe try aligning this with https://github.com/mongodb-js/compass/blob/master/package.json in this regard? It’s not using the pre-commit package itself, so that might be something that could be replaced somehow. |
This shoul help align the style used in: https://github.com/mongodb-js/compass
@addaleax I pushed another commit to align with the compass setup, but I get a very similar error
Seems like a security issue. Should the github action somehow include a token or what? (can't find a reference for such a token in the compass repo) |
Hm yeah, I guess github rejects git+ssh for unknown users even if the requested resource is public? That’s weird, yup, especially considering that the Travis builds passed in the past |
I "fixed" the issue by following the tip here. Found some failing tests, after upgrading the BSON library. And finally made the github action workflow pass 🚀 🔥 Sorry for the alle the files changed, but I hope it's ok to review. I will be quick to resolve any questions/comments/change requests. Let me know if I should update anything @addaleax - so happy if we can remove all the security warnings on NPM install 🚀 |
Hi @addaleax - hope you had a great weekend. I would also like to know what you and the other maintainers think about converting the project to typescript? In my opinion it is just another factor that makes the library 5% more easy to consume (and maintain) 🧐 |
Objective --> remove lodash security warnings
The primary objective of this PR is to remove security warnings when using the library (maybe we can setup snyk.io later to warn about this?)
What changed
Simply upgrading lodash was not easy at all, and gave a tremendous amount of errors because a lot of functions were re-named or their API was modified.
In response to this, I converted must lodash functions to just using Node.js.
However there are 2 functions left:
_.get()
_.defaultsDeep()
I think
get
can be easily removed, when we upgrade the repo to Node.jsv14
, because then we can use?.
and??
syntax. I'm not so sure aboutdefaultsDeep
.But I decided to finish up the PR because, hey it works and Lodash is updated to the latest version 💃🏾 🚀
Positive side-effects
I actually think the source code will be more easy to read with the reduced usage of lodash.
Closes #135
Closes #142