You-Dont-Need-Lodash-Underscore VS eslint-plugin-no-unsanitized

These are all really outdated tips. Moment is deprecated and it is recommended to use dayJs or date-fns. Lodash is discouraged because it has a huge bundle size and nowadays you will find native functions which do most of the things people have used lodash before. https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore

https://github.com/you-dont-need/You-Dont-Need-Lodash-Unders... seems to be a more readable alternative to this website.

Adjacently useful is https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore

I never used lodash but I found this. Might interest you.

In one of my team's Pull Requests I noticed date-fns being added as dependency for our components library for one usage: transform a timestamp to "MM/yy" string, as it represented a debit card's expiration date. Inspired by You don't (may not) need lodash/underscore, I thought to myself - can't we just implement a 2-digit month and 2-digit year formatting? It looks simple, right?

Yes and no. We did but are converting to in-house code since most Lodash functions are already available as native JS and/or @babel/preset-env + core-js@latest (see: You don't need Lodash).

Prevent any uses of setting innerHTML or similar functions e.g. via an eslint plugin.

Great point!

It wanted to edit the comment to change (1) to (server/client) but I passed my edit timeout.

I would include your (5) within (1). `textContent` and other DOM methods like `setAttribute` are effectively secure output-escaping on the client.

Your (5a) is an excellent extra measure. In this area, I'd also add security-focused linting for (1) and (5)–e.g. for (5), to ensure secure DOM methods are used, I use Mozilla's `eslint-plugin-no-unsanitized`[0] plugin for all my personal & work projects.

[0] https://github.com/mozilla/eslint-plugin-no-unsanitized/