Security vulnerabilities with outdated JavaScript libraries

New Member
5 0 0


I recently ran a Google Lighthouse audit on my website using the Brooklyn theme and it highlighted 2x default libraries as having security vulnerabilities - JQuery@2.2.3 and Lo-Dash@4.5.1

These security vulnarability errors are making me nervous, so is there a simple copy/paste fix?

The jquery code is saved as the Brooklyn code file "jquery-2.2.3.min.js", and lodash is stored inside "theme.js.liquid".

The below is from the theme.js.liquid file:

* @license
* lodash 4.5.1 (Custom Build) | Underscore.js 1.8.3
* Build: `lodash core -o ./dist/lodash.core.js`

Replies 2 (2)
New Member
5 0 0

For anyone else with this issue, I fixed it as follows.

To fix the jquery vulnerability I:

Created a new .min.js file for jquery version 3.6.0 in the Assets folder

Changed the reference to the new version in theme.liquid

In theme.js.liquid, in the timber.accessibleNav function

  • Changed “timber.cache.$window.load(function() {“ to “timber.cache.$window.on('load', function() {“


To fix the lodash vulnerability I:

Added this include code to the theme.liquid file “{{ 'lodash-4.5.1.js' | asset_url | script_tag }}”

Moved the original lodash code from theme.js.liquid into Assets/lodash-4.5.1.js

Saved the latest lodash as Assets/lodash-4.17.21.min.js

Updated the lodash reference in theme.liquid file to {{ 'lodash-4.17.21.min.js' | asset_url | script_tag }}

11 1 0

Do you mabe have any idea how to fix this in the supply theme. I cant find the lodash code in theme.js ?