From cc629a163dda1122c08eafbf9680fc5de92e12dc Mon Sep 17 00:00:00 2001
From: Jan Tojnar <jtojnar@gmail.com>
Date: Sat, 6 Apr 2024 17:26:31 +0200
Subject: [PATCH] client: Replace lodash.pick with lodash-es

The former has not been updated for a while, and contains
a prototype pollutioon vulnerability:
https://github.com/advisories/GHSA-p6mc-m468-83gw

We were not affected since we supply the properties ourselves
but this will rid of the `npm audit` complaining.

Also, the per-method lodash packages are discouraged so this
will make the code more future proof:
https://lodash.com/per-method-packages
---
 client/js/templates/Source.jsx |  2 +-
 client/package-lock.json       | 12 ++++++------
 client/package.json            |  2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/client/js/templates/Source.jsx b/client/js/templates/Source.jsx
index c91275d12e..83b44c14d8 100644
--- a/client/js/templates/Source.jsx
+++ b/client/js/templates/Source.jsx
@@ -13,7 +13,7 @@ import PropTypes from 'prop-types';
 import nullable from 'prop-types-nullable';
 import { unescape } from 'html-escaper';
 import classNames from 'classnames';
-import pick from 'lodash.pick';
+import { pick } from 'lodash-es';
 import SourceParam from './SourceParam';
 import { Spinner } from './Spinner';
 import * as sourceRequests from '../requests/sources';
diff --git a/client/package-lock.json b/client/package-lock.json
index 86f52ffad9..93d17f2814 100644
--- a/client/package-lock.json
+++ b/client/package-lock.json
@@ -20,7 +20,7 @@
         "focus-trap": "^7.0.0",
         "form-urlencoded": "^6.0.0",
         "html-escaper": "^3.0.0",
-        "lodash.pick": "^4.4.0",
+        "lodash-es": "^4.17.21",
         "prop-types": "^15.7.2",
         "prop-types-nullable": "^1.0.1",
         "ramda": "^0.29.0",
@@ -5349,6 +5349,11 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/lodash-es": {
+      "version": "4.17.21",
+      "resolved": "https://registry.npmjs.org/lodash-es/-/lodash-es-4.17.21.tgz",
+      "integrity": "sha512-mKnC+QJ9pWVzv+C4/U3rRsHapFfHvQFoFB92e52xeyGMcX6/OlIl78je1u8vePzYZSkkogMPJ2yjxxsb89cxyw=="
+    },
     "node_modules/lodash.debounce": {
       "version": "4.0.8",
       "resolved": "https://registry.npmjs.org/lodash.debounce/-/lodash.debounce-4.0.8.tgz",
@@ -5360,11 +5365,6 @@
       "integrity": "sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==",
       "dev": true
     },
-    "node_modules/lodash.pick": {
-      "version": "4.4.0",
-      "resolved": "https://registry.npmjs.org/lodash.pick/-/lodash.pick-4.4.0.tgz",
-      "integrity": "sha512-hXt6Ul/5yWjfklSGvLQl8vM//l3FtyHZeuelpzK6mm99pNvN9yTDruNZPEJZD1oWrqo+izBmB7oUfWgcCX7s4Q=="
-    },
     "node_modules/lodash.truncate": {
       "version": "4.4.2",
       "resolved": "https://registry.npmjs.org/lodash.truncate/-/lodash.truncate-4.4.2.tgz",
diff --git a/client/package.json b/client/package.json
index 608e8ccf05..0942123e50 100644
--- a/client/package.json
+++ b/client/package.json
@@ -15,7 +15,7 @@
     "focus-trap": "^7.0.0",
     "form-urlencoded": "^6.0.0",
     "html-escaper": "^3.0.0",
-    "lodash.pick": "^4.4.0",
+    "lodash-es": "^4.17.21",
     "prop-types": "^15.7.2",
     "prop-types-nullable": "^1.0.1",
     "ramda": "^0.29.0",