I've noticed the security issues and one of them is with lodash, which
we pull in via uncss. gulp-uncss brings in an old version of uncss
and is no longer maintained, the recommendation is to use gulp-postcss
instead. gulp-postcss seemed too complex for what we're trying to do
here. So I opted to use purgecss via gulp-purgecss. The resulting
CSS is not as small as the one done with uncss: 57870 (purgecss) vs
45405 (uncss) bytes. But who's splitting hairs, seems to work and we
no longer depend on a vulnerable version of lodash.
I've noticed the security issues and one of them is with
lodash, which we pull in via uncss.gulp-uncssbrings in an old version ofuncssand is no longer maintained, the recommendation is to usegulp-postcssinstead.gulp-postcssseemed too complex for what we're trying to do here. So I opted to usepurgecssviagulp-purgecss. The resulting CSS is not as small as the one done withuncss: 57870 (purgecss) vs 45405 (uncss) bytes. But who's splitting hairs, seems to work and we no longer depend on a vulnerable version oflodash.@kahboom WDYT?