Bug: Migrate away from lodash method packages

[susnux]

Lodash method packages are deprecated and will not receive any updated with Lodash 5, meaning they will be a security risk in the future.

Ref: https://lodash.com/per-method-packages

Currently lodash.merge is a dependency:

eslint/package.json

Line 94 in e37153f

"lodash.merge": "^4.6.2",

So the best would be to migrate to import merge directly from lodash.

What did you expect to happen?

Do not use lodash.merge but import merge from lodash.

Link to Minimal Reproducible Example

eslint/package.json

Line 94 in e37153f

"lodash.merge": "^4.6.2",

Participation

• I am willing to submit a pull request for this issue.

[Rec0iL99]

Hi @susnux, thanks for the issue. This looks like a Change Request and not a Bug Report. Could you please use the appropriate template here?

[bmish]

Based on https://lodash.com/per-method-packages, it sounds like it would make sense to switch, would be interested to see a PR.

[mdjermanovic]

We removed lodash dependency for reasons described in #14098, so we're not going to use it again. lodash.merge dependency was actually added as a replacement for previously used merge from lodash (#14287).

We could consider replacing lodash.merge with another package or a custom implementation, or just leave this as is until ESLint v10 when we'll drop support for eslintrc and remove this dependency anyway because it is used only in eslintrc mode.

[aladdin-add]

👍 to leave this as is until ESLint v10.

[nzakas]

I agree with leaving the package until ESLint v10.

lodash.merge is also used in the tests for no-invalid-this, so I'd suggest we replace that reference in the meantime. It looks like it's probably not needed there.

[mdjermanovic]

lodash.merge is also used in the tests for no-invalid-this, so I'd suggest we replace that reference in the meantime. It looks like it's probably not needed there

I prepared #18179 to remove this and another use of lodash.merge.

The remaining one is blocked on ESLint v10.