Replace "lodash.pick" with "lodash/pick"

[dangowans]

The two packages function the same.
Clears up GHSA-p6mc-m468-83gw

[CLAassistant]

All committers have signed the CLA.

[socket-security]

Removed dependencies detected. Learn more about Socket for GitHub ↗︎

🚮 Removed packages: npm/lodash.assign@4.2.0, npm/lodash.omit@4.5.0, npm/lodash.pick@4.4.0

View full report↗︎

[pimterry]

Hmm, interesting, yes... It's not an impactful vulnerability, but yes it would be nice to drop that warning.

What about if we just drop the per-method dependencies entirely, depend on lodash directly and import from subpaths there instead? Like require('lodash/pick'). That's the recommended approach and those per-method packages are actually deprecated because the space savings are apparently rarely worthwhile & could be counterproductive in reality (see https://lodash.com/per-method-packages - presumably this is why they're not being updated).

[dangowans]

That works for me. I updated the pull request with lodash instead.

[pimterry]

Nice stuff, thanks @dangowans! I'll release as v2.2.1 in just a sec.

[dangowans]

Thanks. I see there was more lodash packages than just the one I was looking at. Good update!