Still Using Lodash 3.x? Here’s What You’re Risking.
Why millions of downloads don’t mean you’re safe—and what to do if your app still depends on Lodash 3.
.png)
Lodash 3.10.1 shipped nearly a decade ago. It hasn’t seen a security update since, but it still clocks in at 1.5 million downloads per week, powering thousands of production apps across enterprises, governments, and internal tools. If you’re still using it, you’re not alone—but you are exposed.
Here’s why that matters, and what your options really are.
Known CVEs. No patches.
Lodash 3 never received fixes for multiple high-severity issues, including:
- CVE-2020-8203 – Prototype pollution vulnerabilities
- CVE-2021-23337 – Code injection via _.template
These are exploitable. They affect apps that take user input and process it with Lodash utilities like _.merge, _.defaultsDeep, and _.template. For public-facing apps, especially in finance, health, or commerce, that’s a real threat, not just theoretical.
“Stable” doesn’t mean safe.
Yes, Lodash 3 is stable. That’s the problem. Many teams don’t touch it because “it just works.” But stable ≠ secure. When compliance reviews hit SOC 2, PCI-DSS, and HIPAA, they don’t care if your app works. They care if your software is supported.
Lodash 3 isn’t.
Migration isn’t free.
If you’ve delayed upgrading, you probably had a good reason. Lodash 4 introduced breaking changes. You’d need to comb through thousands of usages, update third-party libraries, and retest everything. It’s not a weekend job—it’s a six-figure migration for some teams.
So what can you do?
HeroDevs now offers Never-Ending Support (NES) for Lodash 3.x and 4.x. It’s a drop-in replacement with ongoing security patches, compliance documentation, and zero code changes required.
- No more CVE fire drills
- No more audit anxiety
- No risky rewrites
Stay on Lodash 3.x. We’ll keep it secure.
Still on Lodash 3? You don’t have to stay exposed.
Explore pricing
.png)
.png)