remove lodash

[deleonio]

No description provided.

[s100]

The priority of this task may be about to increase due to this prototype pollution vulnerability in lodash, which lodash's maintainers seem not to be acting on.

[Pomax]

gentle reminder that this issue exists, and is still an exceptionally good idea. Also because lodash is a huge dependency for the handful of (by now effectively covered by vanilla JS) functions that the code relies on.

[s100]

@Pomax request-promise-core is used primarily by request-promise, request-promise-any, request-promise-bluebird and request-promise-native. All of those packages are heavily deprecated and have not been under active development for several years. So, I would be extremely surprised to see request-promise-core ever change again. I strongly recommend migrating away from request-promise-core - or whatever you use which uses request-promise-core internally - to something else.

(The prototype pollution vulnerability in lodash is long since fixed, at least.)

[Pomax]

I'd love to, but this wasn't because I'm using promise-core, but because a millions-of-installs-a-day package has it as a dependency of a dependency of a dependency. (request-promise is used by almost 10,000 other packages)

[s100]

request-promise is deprecated and unmaintained, even for security fixes. As painful as it may be, migrating away from it is the only solution to your problem.