Bug: Undeclared depedency on lodash.merge

SonarQube for IDE
1

This file imports lodash.merge: eslint-plugin-sonarjs@3.0.3_eslint@9.29.0_jiti@2.4.2_/node_modules/eslint-plugin-sonarjs/cjs/helpers/generate-meta.js

However, that dependency is not included in the package.json:

  "dependencies": {
    "@eslint-community/regexpp": "4.12.1",
    "builtin-modules": "3.3.0",
    "bytes": "3.1.2",
    "functional-red-black-tree": "1.0.1",
    "jsx-ast-utils": "3.3.5",
    "minimatch": "9.0.5",
    "scslre": "0.3.0",
    "semver": "7.7.2",
    "typescript": ">=5"
  },
  "peerDependencies": {
    "eslint": "^8.0.0 || ^9.0.0"
  }

Obviously, if the package depends on lodash.merge, it ought to be declared as a dependency.

3

Hi @Brendan_Mulholland,

thanks for the heads up. I’ve been checking and seems we’ve been lucky (or unlucky as we would have spotted that long time ago) that ESLint actually depends on lodash.merge as well.

I create a ticket to fix this.

Cheers,
Victor