mifi / react-lottie-player

Fully declarative React Lottie player
MIT License
505 stars 53 forks source link

replace lodash clonedeep with merge-anything #40

Closed simonpkerr closed 3 years ago

simonpkerr commented 3 years ago

This replaces lodash with merge-anything, which is a fast, secure alternative to lodash. We constantly get security findings for anything related to lodash, whereas merge-anything seems to be ok.

mifi commented 3 years ago

Thanks for your pr.

The snyk security warning is for the lodash package, no? react-lottie-player doesn't depend on lodash, but on lodash.clonedeep. It doesn't look like this package has any vulnerabilities: https://snyk.io/vuln/search?q=lodash.clonedeep&type=npm

I don't generally like to use less popular packages unless there is a good reason for it. Looking at the npms score, lodash.clonedeep has a higher score than merge-anything

It also has more subdependencies.

I'm not against replacing lodash.merge, but I don't really see a good reason in this case unless you can document why it's problematic

simonpkerr commented 3 years ago

ok no worries, I guess if there are future issues with it, there are some options available