Avoiding Lodash version disclosure about lodash HOT 5 OPEN

If you are in a situation, where you can read the version via devtools, you already have code execution privileges.
If you are doing recon on another website e.g. to find vulns, you can just guess the version based on the source code (yes, even if minified). Or just try to exploit the issues straight away.

So it makes absolutely no sense to try to hide the version of a client-side library.

from lodash.

This issue is causing some security concerns in my organization is someone able to looking into it?

from lodash.

Tell whoever raised those concerns that it's trivial to determine a library version anyway...

from lodash.

The last vestige of this issue was removed from the main branch of lodash in 2019 in 40e9c66.

Unfortunately, that commit wasn't included in the 4.17.21 release that went out the following month, and there hasn't been a subsequent release of lodash in that time. (And it doesn't seem like there's a release coming any time soon, although I would be delighted to be wrong about that.)

Fortunately, this is not actually a significant security issue. Your security scanners and information security officers are participating in a false positive race to the bottom. Sure, lodash can redact the version information, but that's security through obscurity. Since the version disclosure issue is only a problem on the client side, the attacker can simply inspect the payload to determine the version or not even bother and just run whatever exploit they would use on a vulnerable version and see if it works.

from lodash.

This vulnerability might be caused because the lodash object is exported globally and it can be accessed directly using window._

You could get rid of this vulnerability issue by following the solution suggested here - #2671 (comment)

Link to the solution: webpack/webpack#3017 (comment)

from lodash.