From 6a714d15814934e87ac0a203ccf7867d6854c9c8 Mon Sep 17 00:00:00 2001
From: Martin Knudsen <martin.knudsen@otto.de>
Date: Mon, 29 Jan 2024 16:53:57 +0100
Subject: [PATCH] remove lodash.pick due to CVE-2020-8203

---
 lib/transform.js  | 10 +++++++++-
 package-lock.json | 11 -----------
 package.json      |  1 -
 3 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/lib/transform.js b/lib/transform.js
index fbf73b2..d71af88 100644
--- a/lib/transform.js
+++ b/lib/transform.js
@@ -2,9 +2,17 @@ const testValue = require('test-value')
 const where = testValue.where
 const arrayify = require('array-back')
 const extract = require('reduce-extract')
-const pick = require('lodash.pick')
 const omit = require('lodash.omit')
 
+function pick(object, keys) {
+  return keys.reduce((obj, key) => {
+     if (object && object.hasOwnProperty(key)) {
+        obj[key] = object[key];
+     }
+     return obj;
+   }, {});
+}
+
 /**
  * @module transform
  */
diff --git a/package-lock.json b/package-lock.json
index 6f88422..3eede4d 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -11,7 +11,6 @@
       "dependencies": {
         "array-back": "^6.2.2",
         "lodash.omit": "^4.5.0",
-        "lodash.pick": "^4.4.0",
         "reduce-extract": "^1.0.0",
         "sort-array": "^4.1.5",
         "test-value": "^3.0.0"
@@ -460,11 +459,6 @@
       "resolved": "https://registry.npmjs.org/lodash.omit/-/lodash.omit-4.5.0.tgz",
       "integrity": "sha512-XeqSp49hNGmlkj2EJlfrQFIzQ6lXdNro9sddtQzcJY8QaoC2GO0DT7xaIokHeyM+mIT0mPMlPvkYzg2xCuHdZg=="
     },
-    "node_modules/lodash.pick": {
-      "version": "4.4.0",
-      "resolved": "https://registry.npmjs.org/lodash.pick/-/lodash.pick-4.4.0.tgz",
-      "integrity": "sha512-hXt6Ul/5yWjfklSGvLQl8vM//l3FtyHZeuelpzK6mm99pNvN9yTDruNZPEJZD1oWrqo+izBmB7oUfWgcCX7s4Q=="
-    },
     "node_modules/minimatch": {
       "version": "3.1.2",
       "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
@@ -1102,11 +1096,6 @@
       "resolved": "https://registry.npmjs.org/lodash.omit/-/lodash.omit-4.5.0.tgz",
       "integrity": "sha512-XeqSp49hNGmlkj2EJlfrQFIzQ6lXdNro9sddtQzcJY8QaoC2GO0DT7xaIokHeyM+mIT0mPMlPvkYzg2xCuHdZg=="
     },
-    "lodash.pick": {
-      "version": "4.4.0",
-      "resolved": "https://registry.npmjs.org/lodash.pick/-/lodash.pick-4.4.0.tgz",
-      "integrity": "sha512-hXt6Ul/5yWjfklSGvLQl8vM//l3FtyHZeuelpzK6mm99pNvN9yTDruNZPEJZD1oWrqo+izBmB7oUfWgcCX7s4Q=="
-    },
     "minimatch": {
       "version": "3.1.2",
       "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
diff --git a/package.json b/package.json
index 1a952da..62d6282 100644
--- a/package.json
+++ b/package.json
@@ -21,7 +21,6 @@
   "dependencies": {
     "array-back": "^6.2.2",
     "lodash.omit": "^4.5.0",
-    "lodash.pick": "^4.4.0",
     "reduce-extract": "^1.0.0",
     "sort-array": "^4.1.5",
     "test-value": "^3.0.0"