Replace lodash with eta#3489
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
@google-cla I signed the CLA |
|
FYI @swissspidy |
|
@swissspidy all test passed, please can you review? |
|
@swissspidy thanks! PS: next time you merge a PR, I reccomend you to use |
|
NB: this appears to have been due to a CLI mapping that was not updated during the release of various |
|
A question: is the |
| import {swTemplate} from '../templates/sw-template'; | ||
|
|
||
| const eta = new Eta({ | ||
| useWith: true, |
There was a problem hiding this comment.
NB: I think this relates to the JavaScript with function -- something that can be used by both lodash.template and also eta -- but is deprecated.
There was a problem hiding this comment.
@jayaddison how should we change the code?
There was a problem hiding this comment.
@rtritto Personally I'm a bit skeptical about changing the dependency - lodash.template v4.18.0 may have introduced this error (shortly-after resolved in v4.18.1), but aside from that, the dependency itself has been stable for a long time and is used in many places, which to me is usually a sign that it's stable and reliable. Code that doesn't change often can be a good thing.
If there are significant benefits - e.g. much smaller dependency surface and codebase, better stability, auditing/assurance, etc, then perhaps eta would be worth migrating to - but I'm not aware of any significant improvements/drawbacks to back that up.
Neither eta nor lodash.template is a "logic-less templating" engine -- so I'd guess that they're relatively similar in terms of security and functionality.
However: the use of the with statement in JavaScript, highlighted by this eta migration, does make me think that if we move back to lodash.template, then we could explore using the variable option, which means that the evaluated code does not use the with statement.
NB: there was a security bug about that a few years ago, that was subsequently resolved:
...so some caution could be worthwhile.
There was a problem hiding this comment.
lodash is a generic library with drawbacks of performance and weight where there is an official deprecation of lodash.template.
So it's reasonable to replace it with a library with the specific purpose.
As officially suggested, an alternative is eta.
The useWith: true can be removed if it's not needed. Probably it should be removed with () {} in JavaScript slows down execution and can cause confusing bugs (see https://dev.to/bgub/i-built-a-js-template-engine-3x-faster-than-ejs-lj8).
Yes |
Ok, thanks @rtritto |
|
@jayaddison should we remove |
|
@rtritto I don't have an opinion about that yet, I haven't read much about the functionality or source code of |
|
Ah, also, I forgot: I'm a bit wary about this bugreport in |
There is an opened PR |
3 participants
lodashv4.18.0 introduced the issue lodash/lodash#6167 withlodash.template.E.g.:
lodash.templateis also deprecated (soruce lodash.template):lodashis used only in theworkbox-buildpackage (it useslodash.template) and it can be replaced witheta(https://www.npmjs.com/package/eta).The
@types/lodashdependency at rootpackage.jsoncan also be removed.