The Most Downloaded JS Library You Forgot to Upgrade
Lodash gets over 66 million downloads a week—but most teams have no idea it’s effectively end-of-life.
.png)
There’s a good chance your app still includes Lodash. There’s an even better chance you haven’t thought about it in years.
But here’s the reality:
Lodash 4.17.21 gets over 66 million downloads per week.
And it hasn’t been updated since February 2021.
No updates ≠ no problems
Lodash isn’t officially deprecated. It’s just… stale. No commits. No roadmap. No maintainer activity. Potentially, no patch coming if a new CVE is discovered.
That means millions of apps—some of the biggest names on the internet—are quietly running a critical piece of unmaintained software every single day.
The long tail of tech debt
It’s easy to miss Lodash in an audit. It can be buried deep—pulled in by older libraries, build tools, or legacy modules. You might not use _.merge or _.cloneDeep directly anymore, but something you depend on still does.
And Lodash 3? Still downloaded 1.5 million times a week. That version still has not been patched for some key security vulnerabilities.
The fix: support without the rewrite
You don’t have to gut your app or chase every dependency.
HeroDevs now offers Never-Ending Support (NES) for Lodash 3 and 4—providing:
- Ongoing security patches
- Compliance-ready documentation
- A drop-in, version-matched replacement
- Zero changes to your application code
NES gives you the confidence of ongoing maintenance with none of the migration overhead.
Using Lodash? You’re not alone. Unsupported? You don’t have to be.
Get secure with NES for Lodash
.png)
.png)