Open mapedraza opened 2 years ago
@mapedraza if you look at the package-lock.json
, you'll notice that the async
dependency relies on lodash
:
"async": {
"version": "2.6.2",
"resolved": "https://registry.npmjs.org/async/-/async-2.6.2.tgz",
"integrity": "sha512-H1qVYh1MYhEEFLsP97cVKqCGo7KfCyTt6uEWqsTBr9SO84oK9Uwbyd/yCW+6rKJLHksBNUVWZDAjfS+Ccx0Bbg==",
"requires": {
"lodash": "^4.17.11"
}
},
lodash
is nearly but not quite a one-to-one drop in for underscore
- you could just switch the library for using pluck()
and map()
. This would eliminate underscore
entirely since no other dependency is using it. It should improve throughput slightly too since lodash
is supposedly more performant.
undescore is still used by: lib/plugins/bidirectionalData.js:const = require('underscore'); lib/plugins/expressionParser.js:const = require('underscore'); lib/services/ngsi/entities-NGSI-LD.js:const = require('underscore'); lib/services/ngsi/ngsiService.js:const = require('underscore'); lib/services/ngsi/ngsiUtils.js:const = require('underscore'); lib/services/stats/statsRegistry.js:const = require('underscore'); lib/services/northBound/contextServer-NGSI-v2.js:const = require('underscore'); lib/services/northBound/deviceGroupAdministrationServer.js:const = require('underscore'); lib/services/northBound/restUtils.js:const = require('underscore'); lib/services/northBound/contextServer-NGSI-LD.js:const = require('underscore'); lib/services/northBound/deviceProvisioningServer.js:const = require('underscore'); lib/services/devices/devices-NGSI-v2.js:const = require('underscore'); lib/services/devices/registrationUtils.js:const = require('underscore'); lib/services/devices/deviceService.js:const = require('underscore'); lib/services/devices/devices-NGSI-LD.js:const = require('underscore'); lib/services/devices/deviceRegistryMemory.js:const = require('underscore'); lib/services/groups/groupRegistryMemory.js:const = require('underscore'); lib/services/commands/commandRegistryMemory.js:const = require('underscore');
The idea is to reduce the amount of dependencies used in codebase, specially for those which are not essential, in order to reduce possible vulnerabilities like Log4j CVE-2021-44228.
In the particular case of underscore, we have found that it is used only in these cases:
Both cases can be easily covered without using underscore (in the case of plunk, using a map filter, in the case of difference and key amending the logic in charge of that part of the code)