Inside Lodash’s Security Reset and Maintenance Reboot

9 points by fanf

lazytype

So long as this still evaluates to true lodash shouldn't be taken seriously.

require('lodash').isEqual(
  new Map([[0, [1, 2]]]),
  new Map([[0, [2, 1]]]),
)

chrismorgan
Wow. It actually does that.
1. ECMAScript sets and maps iterate in insertion order.
2. People normally expect set or map equality to be independent of order. Though apparently not all do.
3. So lodash sets a COMPARE_UNORDERED_FLAG, which is fair enough.
4. Except this flag applies recursively, wrecking value comparisons. Oh, and key comparisons, though they were already broken because it’s pretty obvious to me that it should be using object identity rather than deep equality for key comparisons, since Map and Set do. (Its length comparison fast path thus also makes it internally inconsistent.)
5. https://github.com/lodash/lodash/issues/5101 was filed in February 2021 about the value comparison problem. It was ignored.
6. https://github.com/lodash/lodash/pull/5397 was offered in March 2022, containing the obvious and approximately trivial patch. It was ignored by maintainers.
7. Both were closed with label “issue bankruptcy” in September 2023.