Discourse embeds a custom copy of 1.3.0 version of lo-dash. Google’s lighthouse analysis reports 4 security vulnerabilities on my up-to-date Discourse instance, 3 of which are in lo-dash and one of which is marked as High severity. The lighthouse report links to [صورة] lodash vulnerabilit…

@j.jaffeux can you update lo-dash to latest version?

@j.jaffeux just updated lodash and also reduced our surface area quite a lot by building a custom hand curated lodash that only includes a subset of function on offer that we use.

If you consider the huge jump in the version number, it should have changed a number of method signatures. Since it’s Lodash, developers should review the need and migrate to vanilla js whenever possible.

Hmm - I reran the report on lighthouse (pointing at this site), and it sees lo-dash now at version 4.17.5, which is a great deal newer but still has 2 vulnerabilities including the high severity one. It looks like the fix is in 4.17.11, according to [صورة] Snyk - lodash vulnerabilities V…

Thanks for letting us know, we will get it sorted.

Ok I go tricked by a combination of things… Most notably yarn global add will 4.17.5 no matter what… You have to install it from git repo: ➜ Projects yarn global add https://github.com/lodash-archive/lodash-cli yarn global v1.16.0 [1/4] 🔍 Resolving packages... [2/4] 🚚 Fetching packages... [3/4]…

Lo-dash version contains a high-severity security vulnerability

الدعم

Stephen (Stephen) 17 مايو 2019، 1:04ص 6

Any chance it eliminated functionality which certain plugins used?

الموضوع		الردود	مرات العرض
Vulnerabilities in the official Docker image Development	1	874	19 مايو 2023
Lodash.js missing Support unsupported-install	6	712	16 أكتوبر 2020
3.2.4: Security and bug fix release Announcements release-notes	0	345	15 يوليو 2024
Unable to find discourse version 2.9.0.beta6 Support	4	650	4 يوليو 2022
Vulnerability patching of npm/gem dependencies in discourse Self-hosting docker	2	108	13 أكتوبر 2025

Lo-dash version contains a high-severity security vulnerability

الموضوعات ذات الصلة