Lighthouse (Google’s site auditing tool) flags security vulnerabilities in third‑party scripts, notably Handlebars (a JavaScript templating engine), hurting the Best Practices score. The initial report links to a Snyk advisory for [email removed] and notes newer versions fix it.
Updating libraries inside the theme’s vendor.js (a single bundled/minified file of all JS dependencies) resolves the warnings. The original poster confirms upgrading vendor.js to latest library versions removed the vulnerabilities.
Multiple participants ask how to update vendor.js and where to get the “latest” file. Guidance given: replace embedded library code with current minified releases (e.g., jQuery), but maintain correct load order and dependencies to avoid breaking subsequent scripts.
One user’s attempt to drop in jQuery 3.6.0 caused other libraries to fail, highlighting bundling/order complexity. They ultimately hired a Shopify expert, and the issue disappeared.
Most recent development: a deep dive into the Supply theme found a customized, minified Handlebars 1.3.0 in vendor.js; the contributor is de‑minifying and reconciling changes, citing forward‑compatibility concerns and plans to share results.
Status: theme‑specific fixes, no universal solution documented. Action items: upgrade bundled libraries, verify dependency order, or seek expert assistance. Open question: authoritative, safe procedure for updating bundled libraries in Shopify themes.
has anyone come across a security issue regarding Handlebars library when testing on Lighthouse?
I get the following message: Some third-party scripts may contain known security vulnerabilities that are easily identified and exploited by attackers.
it points to this library called Handlebars Handlebars@4.0.5 - it looks like it has been fixed on newer versions, however, i’m not sure if this is a script that comes directly from Shopify or if this is theme related.
Vendor.js is just a file that contains all the necessary libraries you are using on your theme. Instead of loading each library into a separate file, a good practice is to minify them and include them all on one main file, in this case the vendor.js file.
This file can contain anything from the latest version of jQuery, to a specific library you are using for your theme Ex. animate.js for animations. To resume, a vendor.js file is contains any javascript library needed on your theme.
I have a couple of libraries showing vulnerabilities on Lighthouse, including Handlebars and JQuery. I’m gathering that I need to replace these libraries with their updated minified ones inside the vendor.js file.
For JQuery, for example, do I need to take the text in this file https://code.jquery.com/jquery-3.6.0.min.js and paste it in? I tried it where I thought the old version was but then all libraries called after that don’t load. So I guess what I’m asking is, which text do I replace with what? Here’s what’s currently in my vendors.js file: https://codeshare.io/an1NbM
I’m right at the limits of my understanding with this stuff, so feel free to explain to me like I’m five. I feel like I’m almost there but something’s not quite clicking! Thanks if you can help.
Hey there! Nope, I didn’t. I ended up hiring one of the Shopify experts to help a bit with my loading speed and he took care of that issue while he was at it I think, because I don’t see the problem anymore. shrug
So ive dived deep into this issue, i have a supply theme with what seems like a minified handlebars 1.3.0 , I found the original min,js for the version 1.3.0 and painstakingly made it readable again in vs, it seems like whoever built the supply theme took the non minified version, changed it up, called it 1.3.0 and then used some other minify compiler to produce the mess that sits in the vendor.js file now. Il be spending the next month fixing this but shopify should take more care with forwards compatibility, im going to have to read through 9 years of update notes now. Il share when im done.
