Replace lodash with lodash subpackages

.eslintrc.json

@@ -32,6 +32,10 @@
     "@typescript-eslint/no-unused-vars": "error",
     "no-prototype-builtins": "off",
     "require-atomic-updates": "off",
+    "no-restricted-imports": [
+      "error",
+      { "paths": ["lodash"], "patterns": ["lodash/*"] }
+    ],
     "no-buffer-constructor": "error"
   },
   "overrides": [

package.json

@@ -65,19 +65,35 @@
   "dependencies": {
     "@open-policy-agent/opa-wasm": "^1.2.0",
     "@snyk/cli-interface": "2.11.0",
-    "@snyk/dep-graph": "1.21.0",
+    "@snyk/dep-graph": "1.23.1",
     "@snyk/gemfile": "1.2.0",
-    "@snyk/snyk-cocoapods-plugin": "2.5.1",
+    "@snyk/graphlib": "^2.1.9-patch.3",
+    "@snyk/inquirer": "^7.3.3-patch",
+    "@snyk/snyk-cocoapods-plugin": "2.5.2",
     "abbrev": "^1.1.1",
     "ansi-escapes": "3.2.0",
     "chalk": "^2.4.2",
     "cli-spinner": "0.2.10",
     "configstore": "^5.0.1",
     "debug": "^4.1.1",
     "diff": "^4.0.1",
-    "graphlib": "^2.1.8",
-    "inquirer": "^7.3.3",
-    "lodash": "^4.17.20",
+    "lodash.assign": "^4.2.0",
+    "lodash.camelcase": "^4.3.0",
+    "lodash.clonedeep": "^4.5.0",
+    "lodash.endswith": "^4.2.1",
+    "lodash.flatten": "^4.4.0",
+    "lodash.flattendeep": "^4.4.0",
+    "lodash.get": "^4.4.2",
+    "lodash.groupby": "^4.6.0",
+    "lodash.isempty": "^4.4.0",
+    "lodash.isobject": "^3.0.2",
+    "lodash.map": "^4.6.0",
+    "lodash.omit": "^4.5.0",
+    "lodash.orderby": "^4.6.0",
+    "lodash.sortby": "^4.7.0",
+    "lodash.uniq": "^4.5.0",
+    "lodash.upperfirst": "^4.3.1",
+    "lodash.values": "^4.3.0",
     "micromatch": "4.0.2",
     "needle": "2.5.0",
     "open": "^7.0.3",
@@ -88,13 +104,13 @@
     "semver": "^6.0.0",
     "snyk-config": "4.0.0-rc.2",
     "snyk-cpp-plugin": "2.2.1",
-    "snyk-docker-plugin": "4.16.0",
-    "snyk-go-plugin": "1.16.4",
-    "snyk-gradle-plugin": "3.12.3",
+    "snyk-docker-plugin": "4.17.2",
+    "snyk-go-plugin": "1.16.5",
+    "snyk-gradle-plugin": "3.12.5",
     "snyk-module": "3.1.0",
-    "snyk-mvn-plugin": "2.25.1",
-    "snyk-nodejs-lockfile-parser": "1.30.1",
-    "snyk-nuget-plugin": "1.20.0",
+    "snyk-mvn-plugin": "2.25.3",
+    "snyk-nodejs-lockfile-parser": "1.30.2",
+    "snyk-nuget-plugin": "1.21.0",
     "snyk-php-plugin": "1.9.2",
     "snyk-policy": "1.14.1",
     "snyk-python-plugin": "1.19.2",
@@ -113,7 +129,6 @@
   "devDependencies": {
     "@types/agent-base": "^4.2.1",
     "@types/diff": "^3.5.2",
-    "@types/graphlib": "^2.1.7",
     "@types/jest": "^25.2.3",
     "@types/lodash": "^4.14.161",
     "@types/needle": "^2.0.4",
@@ -127,6 +142,9 @@
     "eslint": "6.8.0",
     "eslint-config-prettier": "^6.1.0",
     "jest": "^25.5.4",
+    "lodash": "^4.17.20",
+    "lodash.countby": "^4.6.0",
+    "lodash.every": "^4.6.0",
     "madge": "^3.4.4",
     "nock": "^10.0.6",
     "npm-run-all": "^4.1.5",

src/cli/commands/monitor/formatters/format-monitor-response.ts

@@ -1,4 +1,4 @@
-import * as _ from 'lodash';
+const assign = require('lodash.assign');
 import chalk from 'chalk';
 import * as url from 'url';
 
@@ -63,7 +63,7 @@ export function formatMonitorOutput(
 
   return options.json
     ? JSON.stringify(
-        _.assign({}, res, {
+        assign({}, res, {
           manageUrl,
           packageManager,
         }),

src/cli/commands/protect/index.ts

@@ -1,7 +1,7 @@
 import * as debugModule from 'debug';
 import * as snyk from '../../../lib/';
 import * as types from '../../../lib/types';
-import * as protect from '../../../lib/protect';
+const protect = require('../../../lib/protect');
 import * as analytics from '../../../lib/analytics';
 import * as detect from '../../../lib/detect';
 import * as pm from '../../../lib/package-managers';

src/cli/commands/protect/prompts.ts

@@ -9,11 +9,12 @@ export {
   startOver,
 };
 
-import * as _ from 'lodash';
+const cloneDeep = require('lodash.clonedeep');
+const get = require('lodash.get');
 import * as semver from 'semver';
 import { format as fmt } from 'util';
 import * as debugModule from 'debug';
-import * as protect from '../../../lib/protect';
+const protect = require('../../../lib/protect');
 import { parsePackageString as moduleToObject } from 'snyk-module';
 import * as config from '../../../lib/config';
 import * as snykPolicy from 'snyk-policy';
@@ -191,7 +192,7 @@ function getPatchPrompts(
     return [];
   }
 
-  let res = stripInvalidPatches(_.cloneDeep(vulns)).filter((vuln) => {
+  let res = stripInvalidPatches(cloneDeep(vulns)).filter((vuln) => {
     // if there's any upgrade available, then remove it
     return canBeUpgraded(vuln) || vuln.type === 'license' ? false : true;
   }) as AnnotatedIssue[];
@@ -256,7 +257,7 @@ function getPatchPrompts(
 
       if (!acc[last]) {
         // only copy the biggest change
-        copy[last] = _.cloneDeep(curr);
+        copy[last] = cloneDeep(curr);
         acc[last] = curr;
         return acc;
       }
@@ -350,7 +351,7 @@ function getIgnorePrompts(vulns, policy, options?) {
     return [];
   }
 
-  const res = stripInvalidPatches(_.cloneDeep(vulns)).filter((vuln) => {
+  const res = stripInvalidPatches(cloneDeep(vulns)).filter((vuln) => {
     // remove all patches and updates
 
     // if there's any upgrade available
@@ -390,7 +391,7 @@ function getUpdatePrompts(vulns: AnnotatedIssue[], policy, options?): Prompt[] {
     return [];
   }
 
-  let res = stripInvalidPatches(_.cloneDeep(vulns)).filter((vuln) => {
+  let res = stripInvalidPatches(cloneDeep(vulns)).filter((vuln) => {
     // only keep upgradeable
     return canBeUpgraded(vuln);
   }) as AnnotatedIssueWithGrouping[];
@@ -410,7 +411,7 @@ function getUpdatePrompts(vulns: AnnotatedIssue[], policy, options?): Prompt[] {
 
     if (!acc[from]) {
       // only copy the biggest change
-      copy = _.cloneDeep(curr);
+      copy = cloneDeep(curr);
       acc[from] = curr;
       return acc;
     }
@@ -588,10 +589,10 @@ function generatePrompt(
     id += '-' + prefix + i;
 
     // make complete copies of the actions, otherwise we'll mutate the object
-    const ignore = _.cloneDeep(ignoreAction);
-    const skip = _.cloneDeep(skipAction);
-    const patch = _.cloneDeep(patchAction);
-    const update = _.cloneDeep(updateAction);
+    const ignore = cloneDeep(ignoreAction);
+    const skip = cloneDeep(skipAction);
+    const patch = cloneDeep(patchAction);
+    const update = cloneDeep(updateAction);
     const review: Action = {
       value: 'review',
       short: 'Review',
@@ -974,7 +975,7 @@ function nextSteps(pkg, prevAnswers) {
   const prompts: Prompt[] = [];
   let i;
 
-  i = _.get(pkg, 'scripts.test', '').indexOf('snyk test');
+  i = get(pkg, 'scripts.test', '').indexOf('snyk test');
   if (i === -1) {
     prompts.push({
       name: 'misc-add-test',
@@ -992,7 +993,7 @@ function nextSteps(pkg, prevAnswers) {
     return prompts;
   }
 
-  i = _.get(pkg, 'scripts.prepublish', '').indexOf('snyk-pro');
+  i = get(pkg, 'scripts.prepublish', '').indexOf('snyk-pro');
 
   // if `snyk protect` doesn't already appear, then check if we need to add it
   if (i === -1) {

src/cli/commands/protect/tasks.ts

@@ -2,7 +2,7 @@ export = answersToTasks;
 
 import * as debugModule from 'debug';
 const debug = debugModule('snyk');
-import * as _ from 'lodash';
+const cloneDeep = require('lodash.clonedeep');
 
 function answersToTasks(answers) {
   const tasks = {
@@ -43,7 +43,7 @@ function answersToTasks(answers) {
       const additional = vuln.grouped.upgrades.slice(1);
 
       additional.forEach((upgrade) => {
-        const copy = _.cloneDeep(vuln);
+        const copy = cloneDeep(vuln);
         copy.from = upgrade.from;
         copy.__filename = upgrade.filename;
         copy.patches = upgrade.patches;

src/cli/commands/protect/wizard.ts

@@ -10,12 +10,13 @@ import * as debugModule from 'debug';
 const debug = debugModule('snyk');
 
 import * as path from 'path';
-import * as inquirer from 'inquirer';
+import * as inquirer from '@snyk/inquirer';
 import * as fs from 'fs';
 import * as tryRequire from 'snyk-try-require';
 import chalk from 'chalk';
 import * as url from 'url';
-import * as _ from 'lodash';
+const cloneDeep = require('lodash.clonedeep');
+const get = require('lodash.get');
 import { exec } from 'child_process';
 import { apiTokenExists } from '../../../lib/api-token';
 import * as auth from '../auth/is-authed';
@@ -25,7 +26,7 @@ import answersToTasks = require('./tasks');
 import * as snyk from '../../../lib/';
 import { monitor as snykMonitor } from '../../../lib/monitor';
 import { isCI } from '../../../lib/is-ci';
-import * as protect from '../../../lib/protect';
+const protect = require('../../../lib/protect');
 import * as authorization from '../../../lib/authorization';
 import * as config from '../../../lib/config';
 import * as spinner from '../../../lib/spinner';
@@ -141,7 +142,7 @@ async function processWizardFlow(options) {
       }
     })
     .then(() => {
-      return new Promise((resolve) => {
+      return new Promise<void>((resolve) => {
         if (options.newPolicy) {
           return resolve(); // don't prompt to start over
         }
@@ -261,7 +262,7 @@ function inquire(prompts, answers): Promise<{}> {
   });
   return new Promise((resolve) => {
     inquirer.prompt(prompts).then((theseAnswers) => {
-      _.extend(answers, theseAnswers);
+      answers = { ...answers, ...theseAnswers };
       Object.keys(answers).forEach((answerName) => {
         if (answerName.indexOf('--DOT--') > -1) {
           const newName = answerName.replace(/--DOT--/g, '.');
@@ -286,7 +287,7 @@ function getNewScriptContent(scriptContent, cmd) {
 }
 
 function addProtectScripts(existingScripts, npmVersion, options) {
-  const scripts = existingScripts ? _.cloneDeep(existingScripts) : {};
+  const scripts = existingScripts ? cloneDeep(existingScripts) : {};
   scripts['snyk-protect'] = 'snyk protect';
 
   let cmd = 'npm run snyk-protect';
@@ -378,7 +379,7 @@ function processAnswers(answers, policy, options) {
         return Promise.resolve();
       }
 
-      return new Promise((resolve) => {
+      return new Promise<void>((resolve) => {
         exec(
           'git add .snyk',
           {
@@ -479,17 +480,17 @@ function processAnswers(answers, policy, options) {
         debug('updating %s', packageFile);
 
         if (
-          _.get(pkg, 'dependencies.snyk') ||
-          _.get(pkg, 'peerDependencies.snyk') ||
-          _.get(pkg, 'optionalDependencies.snyk')
+          get(pkg, 'dependencies.snyk') ||
+          get(pkg, 'peerDependencies.snyk') ||
+          get(pkg, 'optionalDependencies.snyk')
         ) {
           // nothing to do as the user already has Snyk
           // TODO decide whether we should update the version being used
           // and how do we reconcile if the global install is older
           // than the local version?
         } else {
           const addSnykToProdDeps = answers['misc-add-protect'];
-          const snykIsInDevDeps = _.get(pkg, 'devDependencies.snyk');
+          const snykIsInDevDeps = get(pkg, 'devDependencies.snyk');
 
           if (addSnykToProdDeps) {
             if (!pkg.dependencies) {

src/cli/commands/test/formatters/docker/format-docker-binary-heading.ts

@@ -1,10 +1,10 @@
-import * as _ from 'lodash';
+const values = require('lodash.values');
 import chalk from 'chalk';
 
 export function createDockerBinaryHeading(pkgInfo): string {
   const binaryName = pkgInfo.pkg.name;
   const binaryVersion = pkgInfo.pkg.version;
-  const numOfVulns = _.values(pkgInfo.issues).length;
+  const numOfVulns = values(pkgInfo.issues).length;
   const vulnCountText = numOfVulns > 1 ? 'vulnerabilities' : 'vulnerability';
   return numOfVulns
     ? chalk.bold.white(

src/cli/commands/test/formatters/docker/format-docker-binary-issues.ts

@@ -1,4 +1,4 @@
-import * as _ from 'lodash';
+const values = require('lodash.values');
 import { createDockerBinaryHeading } from './format-docker-binary-heading';
 import { Options, TestOptions } from '../../../../../lib/types';
 import { formatIssues } from '../legacy-format-issue';
@@ -9,7 +9,7 @@ export function formatDockerBinariesIssues(
   options: Options & TestOptions,
 ): string[] {
   const binariesIssuesOutput = [] as string[];
-  for (const pkgInfo of _.values(binariesVulns.affectedPkgs)) {
+  for (const pkgInfo of values(binariesVulns.affectedPkgs)) {
     binariesIssuesOutput.push(createDockerBinaryHeading(pkgInfo));
     const binaryIssues = dockerBinariesSortedGroupedVulns.filter(
       (vuln) => vuln.metadata.name === pkgInfo.pkg.name,

src/cli/commands/test/formatters/format-test-results.ts

@@ -15,7 +15,8 @@ import {
   WIZARD_SUPPORTED_PACKAGE_MANAGERS,
 } from '../../../../lib/package-managers';
 import * as config from '../../../../lib/config';
-import * as _ from 'lodash';
+const cloneDeep = require('lodash.clonedeep');
+const orderBy = require('lodash.orderby');
 import * as analytics from '../../../../lib/analytics';
 import {
   formatIssuesWithRemediation,
@@ -30,7 +31,7 @@ import { jsonStringifyLargeObject } from '../../../../lib/json';
 import { createSarifOutputForOpenSource } from '../open-source-sarif-output';
 
 export function formatJsonOutput(jsonData, options: Options) {
-  const jsonDataClone = _.cloneDeep(jsonData);
+  const jsonDataClone = cloneDeep(jsonData);
 
   if (options['group-issues']) {
     jsonDataClone.vulnerabilities = Object.values(
@@ -170,7 +171,7 @@ export function getDisplayedOutput(
 
   const vulns = res.vulnerabilities || [];
   const groupedVulns: GroupedVuln[] = groupVulnerabilities(vulns);
-  const sortedGroupedVulns = _.orderBy(
+  const sortedGroupedVulns = orderBy(
     groupedVulns,
     ['metadata.severityValue', 'metadata.name'],
     ['asc', 'desc'],

src/cli/commands/test/formatters/legacy-format-issue.ts

@@ -1,4 +1,4 @@
-import * as _ from 'lodash';
+const uniq = require('lodash.uniq');
 import chalk from 'chalk';
 import * as config from '../../../../lib/config';
 import { Options, TestOptions, ShowVulnPaths } from '../../../../lib/types';
@@ -26,7 +26,7 @@ export function formatIssues(
   const vulnID = vuln.list[0].id;
   const packageManager = options.packageManager!;
   const localPackageTest = isLocalFolder(options.path);
-  const uniquePackages = _.uniq(
+  const uniquePackages = uniq(
     vuln.list.map((i) => {
       if (i.from[1]) {
         return i.from && i.from[1];
@@ -233,7 +233,7 @@ function createRemediationText(
   }
 
   if (vuln.isFixable === true) {
-    const upgradePathsArray = _.uniq(
+    const upgradePathsArray = uniq(
       vuln.list.map((v) => {
         const shouldUpgradeItself = !!v.upgradePath[0];
         const shouldUpgradeDirectDep = !!v.upgradePath[1];

src/cli/commands/test/iac-output.ts

@@ -11,7 +11,7 @@ import { titleCaseText } from './formatters/legacy-format-issue';
 import * as sarif from 'sarif';
 import { SEVERITY } from '../../../lib/snyk-test/legacy';
 import { IacFileInDirectory } from '../../../lib/types';
-import upperFirst = require('lodash/upperFirst');
+import upperFirst = require('lodash.upperfirst');
 const debug = Debug('iac-output');
 
 function formatIacIssue(