[Question] Getting rid of lodash-es@4.17.20

[somuda86]

I believe and I noticed there was some effort around removing lodash-es and I see it has been removed. Does the latest release compatible with angular 9?

[tobiasengelhardt]

I'm have not tested this, but would guess that there are some issues. The 9.0.3 version of the tree still has lodash-es in version 4.17.15 as a dependency. We can update this to 4.17.20 and release it as a new version. Would a new version help or do you need lodash-es do be gone completely?

[tobiasengelhardt]

Because of a fix for the virtual scroll we also updated older versions of the tree. In that update I added also the lodash-es update. So in the new version 9.0.4 there are two new bugfixes for virtual scroll and also the update for lodash-es to version 4.17.20.

[somuda86]

lodash 4.17.20 wont solve the security issue. I request you to upgrade to 4.17.21. @tobiasengelhardt

[somuda86]

@tobiasengelhardt I am sorry I should have commented earlier. But 9.0.4 has security issues as lodash 4.17.20 has to CWE issues. I am afraid you may have cut a new release with lodash-es 4.17.21. https://snyk.io/vuln/npm:lodash@4.17.20

[tobiasengelhardt]

There is now version 9.0.5 available with lodash-es 4.17.21. There will also be a 10.0.4 version with the same update. If there are new lodash issues in the future just open a new issue and we will update lodash again.