Security vulnerabilities with outdated JavaScript libraries

andylewie · ‎06-28-2021

Hello,

I recently ran a Google Lighthouse audit on my website using the Brooklyn theme and it highlighted 2x default libraries as having security vulnerabilities - JQuery@2.2.3 and Lo-Dash@4.5.1.

These security vulnarability errors are making me nervous, so is there a simple copy/paste fix?

The jquery code is saved as the Brooklyn code file "jquery-2.2.3.min.js", and lodash is stored inside "theme.js.liquid".

The below is from the theme.js.liquid file:

/**
* @license
* lodash 4.5.1 (Custom Build) lodash.com/license | Underscore.js 1.8.3 underscorejs.org/LICENSE
* Build: `lodash core -o ./dist/lodash.core.js`
*/

andylewie · ‎07-10-2021

For anyone else with this issue, I fixed it as follows.

To fix the jquery vulnerability I:

Created a new .min.js file for jquery version 3.6.0 in the Assets folder

Changed the reference to the new version in theme.liquid

In theme.js.liquid, in the timber.accessibleNav function

Changed “timber.cache.$window.load(function() {“ to “timber.cache.$window.on('load', function() {“

To fix the lodash vulnerability I:

Added this include code to the theme.liquid file “{{ 'lodash-4.5.1.js' | asset_url | script_tag }}”

Moved the original lodash code from theme.js.liquid into Assets/lodash-4.5.1.js

Saved the latest lodash as Assets/lodash-4.17.21.min.js

Updated the lodash reference in theme.liquid file to {{ 'lodash-4.17.21.min.js' | asset_url | script_tag }}

Parmegastore · ‎11-08-2021

Do you mabe have any idea how to fix this in the supply theme. I cant find the lodash code in theme.js ?

sofybrands · ‎12-08-2022

Do you maybe have any idea how to fix the vulnerability jQuery@3.4.1 in the Dawn theme? how can I fix it?

Security vulnerabilities with outdated JavaScript libraries

Community Blog Articles

Shopify Community

Support

Shopify

Quick Links