Lodash dependency - required?

[Daveawb]

Is this a question? Yes and... no? Go figure.

I noticed that I had the full blown version of lodash in my dependencies once I had installed this package (which is excellent btw). I started to look through the code base to see if it really was required and I have only found these usages:

context-matcher.ts
_.isFunction
_.isString

config-factory.ts
_.assign
_.isString
_.isPlainObject

handlers.ts
_.camelCase
_.get
_.isFunction

http-proxy-middleware.ts
_.assign
_.isFunction

path-rewriter.ts
_.isFunction
_.forEach
_.isEmpty
_.isPlainObject
_.isUndefined
_.isNull
_.isEqual
_.isPlainObject
_.forIn

router.ts
_.isPlainObject
_.isFunction
_.forIn

Each one of these dependencies can be achieved easily with ES6 without the need for lodash, would you be willing to receive a PR to remove this dependancy?

Most of my projects are built by CI many times / day and anything I can do to reduce the time needed to bootstrap each run is always appeciated.

Is this a bug report?

No

Is this a feature request?

Sort of. This request is to remove the lodash dependancy from the project.

Motivation:

• Faster installs. Better performance.

Setup

Not applicable

[chimurai]

Ah, that's a trace of the node 0.10 era. Before we had transpilers like Babel or TypeScript.
Only recently converted to TypeScript to start modernising the codebase.
It's on the todo list to remove it.
Just didn't had the chance to work on it.

[Daveawb]

@chimurai happy to put in a PR to remove this.

The only ones I can see that'll need maybe more than a simple change are:
_.camelCase
_.get * depending on how it's used

[chimurai]

@Daveawb , would be really nice to have a helping hand.

Not always pretty to face the facts...

source: bundlephobia.com

[Daveawb]

Says it all doesn't it 💯

Sure, I've just had to do this for a number of my own repos so happy to take a look this weekend.

[Daveawb]

Made some headway over the weekend. A few tests still failing, will get to them this week at some point.

@chimurai I've also added the strict: true flag in tsconfig.json and adding types. If you'd prefer I didn't do this in this PR let me know.

[chimurai]

Nice. Think it is better to have strict: true in a separate PR.

[lattam]

You can also install only the functions you really use. That should reduce the size significantly.

npm i lodash.isfunction

etc.

[Daveawb]

@lattam I did consider this but really they still bring in a host of lodash functions that just aren't needed and still inflate the package size considerably. Also, they're removing the individual function imports in v5, see Jdaltons reply in lodash/lodash#3838 (comment)

[s100]

The priority of this task may be about to increase due to this prototype pollution vulnerability in lodash, which lodash's maintainers seem not to be acting on.

[Daveawb]

Yep ok, I'll crack on at the weekend, apologies, been a bit inactive on this for a while.

[Daveawb]

@chimurai nearly there now. I have 4 failing e2e tests that I need to sort out.

[chimurai]

let me know if you need any help

[Daveawb]

@chimurai nearly there now. I have 4 failing e2e tests that I need to sort out.

Actaully a second set of eyes on this might be useful. Debugging the websocket test is a pain.