eslint-plugin-no-unsanitized VS You-Dont-Need-Lodash-Underscore

Prevent any uses of setting innerHTML or similar functions e.g. via an eslint plugin.

Great point!

It wanted to edit the comment to change (1) to (server/client) but I passed my edit timeout.

I would include your (5) within (1). `textContent` and other DOM methods like `setAttribute` are effectively secure output-escaping on the client.

Your (5a) is an excellent extra measure. In this area, I'd also add security-focused linting for (1) and (5)–e.g. for (5), to ensure secure DOM methods are used, I use Mozilla's `eslint-plugin-no-unsanitized`[0] plugin for all my personal & work projects.

[0] https://github.com/mozilla/eslint-plugin-no-unsanitized/

These are all really outdated tips. Moment is deprecated and it is recommended to use dayJs or date-fns. Lodash is discouraged because it has a huge bundle size and nowadays you will find native functions which do most of the things people have used lodash before. https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore

https://github.com/you-dont-need/You-Dont-Need-Lodash-Unders... seems to be a more readable alternative to this website.

Adjacently useful is https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore

I never used lodash but I found this. Might interest you.

In one of my team's Pull Requests I noticed date-fns being added as dependency for our components library for one usage: transform a timestamp to "MM/yy" string, as it represented a debit card's expiration date. Inspired by You don't (may not) need lodash/underscore, I thought to myself - can't we just implement a 2-digit month and 2-digit year formatting? It looks simple, right?

Yes and no. We did but are converting to in-house code since most Lodash functions are already available as native JS and/or @babel/preset-env + core-js@latest (see: You don't need Lodash).