Open mattkime opened 4 years ago
@watson introduced eslint rules to disallow lodash's set
function in #67452, because it is susceptible to prototype pollution. We introduced a safer drop-in replacement for this, but I'm not personally opposed to dropping this altogether either.
I do want to make sure that we aren't making life difficult for other teams though -- I'd rather support our custom, "safer" set
function than have a developer add another similar dependency that flies under the radar, which in turn ends up breaking type safety and/or is vulnerable itself.
lodash set and get undermine type safety. This can make refactoring more difficult since changed object paths won't be caught by type checks and code that would otherwise throw will provide defaults or create object paths.
Further, the usefulness of
_.get
has been reduced by optional chaining and nullish coalescing.