Upgrade to lodash 4

[xycloud]

VERSION: kibana 5.0
why not update lodash from 3.10.1 to 4.5.0? some function only existed in 4.5.0 like _.isEmpty

[Bargs]

I don't know if anyone has taken a swing at it and encountered specific issues, but my guess is that it just hasn't been worth it to deal with all the breaking changes yet.

It's true that there are a lot of new methods in 4.x, but _.isEmpty is actually available in 3.x btw: https://github.com/lodash/lodash/blob/3.10.1/doc/README.md#_isemptyvalue

[kimjoar]

Btw, https://github.com/jfmengels/lodash-codemods is possibly a good starting point for this.

/cc @archanid as I think I remember you've mentioned interest in codemods earlier. This could be an interesting fix to play around with them.

[elasticmachine]

Pinging @elastic/kibana-platform

[lizozom]

After speaking to @kobelb, I understand we are using a forked 3.x because of https://hackerone.com/reports/310443

However, 4.x is now patched as well, and it should be possible to upgrade to 4.x :)

[elasticmachine]

Pinging @elastic/kibana-operations

[jbudz]

Yup, the fork for the security fix and the pending upgrade to v4 is mostly due to how many uses we have. It's a lot of breaking changes IIRC.

[kobelb]

To work-around the out of date version of lodash, there has been the occasional usage of the "per-method packages", for example lodash.clonedeep. These will be going away in lodash version 5. Additionally, they generally lag behind when there is a security vulnerability and per the main author of lodash:

I'm not really maintaining the individual method packages. We'll bump them eventually as part of one last 4.x push for security fixes but I'm in no hurry.

We really need to figure out a plan here. We're already maintaining a fork of lodash@3 and version 5 is now in the works.