Discourse embeds a custom copy of 1.3.0 version of lo-dash.
Google’s lighthouse analysis reports 4 security vulnerabilities on my up-to-date Discourse instance, 3 of which are in lo-dash and one of which is marked as High severity.
@joffreyjaffeux just updated lodash and also reduced our surface area quite a lot by building a custom hand curated lodash that only includes a subset of function on offer that we use.
If you consider the huge jump in the version number, it should have changed a number of method signatures. Since it’s Lodash, developers should review the need and migrate to vanilla js whenever possible.
Hmm - I reran the report on lighthouse (pointing at this site), and it sees lo-dash now at version 4.17.5, which is a great deal newer but still has 2 vulnerabilities including the high severity one. It looks like the fix is in 4.17.11, according to