refactor: reduce library size by using lodash specific dependencies

[jakelacey2012]

This is to reduce the size of the bundle users have to install.

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

In 9.0.0 we introduced a change which depended on lodash as a whole, which meant our bundle size increased. We need to ensure our bundle size is small enough so customers can depend on it at the edge for serverless functions.

References

• https://github.com/auth0/node-jsonwebtoken/pull/916
• https://github.com/auth0/node-jsonwebtoken/issues/878
• https://github.com/auth0/node-jsonwebtoken/pull/852

Testing

• ✅ npm test are passing
• ✅ This change adds test coverage for new/changed/fixed functionality

Checklist

• [] I have added documentation for new/changed functionality in this PR or in auth0.com/docs
• [x] All active GitHub checks for tests, formatting, and security are passing
• [x] The correct base branch is being used, if not the default branch

[stefansundin]

@jakelacey2012

Unfortunately this is bad for security as these packages are very old and some of these packages have open CVEs which are never going to be fixed. I haven't verified if these packages in particular have open CVEs, but every package depending on lodash.pick got a vulnerability a few days ago. Additionally, if there's ever a lodash v5, these packages will not be updated. https://lodash.com/per-method-packages

As that website explains, you should be able to use the main package and import e.g. lodash/includes.

You can also use lodash-es and get tree shaking if your build pipeline supports ESM. https://www.npmjs.com/package/lodash-es