Lo-dash version has high severity security vulnerability

Discourse embeds a custom copy of 1.3.0 version of lo-dash.

Google’s lighthouse analysis reports 4 security vulnerabilities on my up-to-date Discourse instance, 3 of which are in lo-dash and one of which is marked as High severity.

The lighthouse report links to

Lighthouse is at

and the report for this site, at
says under Best Practices

Includes front-end JavaScript libraries with known security vulnerabilities 3 vulnerabilities detected

Some third-party scripts may contain known security vulnerabilities that are easily identified and exploited by attackers. Learn more.

Library Version Vulnerability Count Highest Severity
Lo-Dash@1.3.0 3 High

@joffreyjaffeux can you update lo-dash to latest version?

1 Like

@joffreyjaffeux just updated lodash and also reduced our surface area quite a lot by building a custom hand curated lodash that only includes a subset of function on offer that we use.


Any chance it eliminated functionality which certain plugins used?

1 Like

If you consider the huge jump in the version number, it should have changed a number of method signatures. Since it’s Lodash, developers should review the need and migrate to vanilla js whenever possible.

1 Like

Hmm - I reran the report on lighthouse (pointing at this site), and it sees lo-dash now at version 4.17.5, which is a great deal newer but still has 2 vulnerabilities including the high severity one. It looks like the fix is in 4.17.11, according to


Thanks for letting us know, we will get it sorted.


Ok I go tricked by a combination of things…

Most notably yarn global add will 4.17.5 no matter what… You have to install it from git repo:

➜  Projects yarn global add https://github.com/lodash-archive/lodash-cli
yarn global v1.16.0
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
[3/4] 🔗  Linking dependencies...
[4/4] 🔨  Building fresh packages...
success Installed "lodash-cli@4.17.11" with binaries:
      - lodash
✨  Done in 5.90s.

Will be fixed by:




This topic was automatically closed after 10 hours. New replies are no longer allowed.