Closed simonpkerr closed 3 years ago
Thanks for your pr.
The snyk security warning is for the lodash
package, no? react-lottie-player doesn't depend on lodash, but on lodash.clonedeep
. It doesn't look like this package has any vulnerabilities:
https://snyk.io/vuln/search?q=lodash.clonedeep&type=npm
I don't generally like to use less popular packages unless there is a good reason for it. Looking at the npms score, lodash.clonedeep has a higher score than merge-anything
It also has more subdependencies.
I'm not against replacing lodash.merge, but I don't really see a good reason in this case unless you can document why it's problematic
ok no worries, I guess if there are future issues with it, there are some options available
This replaces lodash with merge-anything, which is a fast, secure alternative to lodash. We constantly get security findings for anything related to lodash, whereas merge-anything seems to be ok.