Skip to main content

No Vulnerable Libraries.

Performance Best Practices

Outdated libraries with known CVEs — security and stability risk

What does this check test?

This check detects front-end JavaScript libraries with known security vulnerabilities (CVEs). Lighthouse cross-references the detected library versions against the Snyk vulnerability database to identify libraries with published exploits. Common vulnerable libraries include outdated versions of jQuery, Angular, React, Lodash, Bootstrap, and Moment.js. This check covers client-side libraries loaded in the browser, not server-side dependencies. A vulnerable library does not necessarily mean your site is exploitable, but it indicates an attack surface that should be evaluated.

Why does it matter?

Known vulnerabilities in client-side libraries are exploitable by attackers who can see exactly which library version you use (it is in the source code). Exploits for popular library vulnerabilities are widely documented and trivial to execute. Beyond security, outdated libraries often have performance bugs, memory leaks, and compatibility issues that have been fixed in newer versions. Running vulnerable libraries also creates compliance issues for organizations subject to PCI-DSS, SOC 2, or similar frameworks that require timely patching. From a performance perspective, older libraries are often larger and less optimized than their modern counterparts.

Who is affected?

Sites using npm dependencies that are not regularly updated, WordPress sites with outdated plugins that bundle old JavaScript libraries, legacy applications that depend on specific library versions, and sites that load libraries from public CDNs (which may serve outdated cached versions) are most affected. Enterprise applications with complex dependency trees and slow update cycles are particularly vulnerable.

Where does this apply?

Lighthouse identifies vulnerable libraries in the 'Includes front-end JavaScript libraries with known security vulnerabilities' diagnostic, showing the library name, version, and CVE identifiers. Chrome DevTools Application panel may show loaded scripts. Check your `package.json` and `package-lock.json` (or `yarn.lock`) for outdated dependencies. Run `npm audit` or `yarn audit` to see known vulnerabilities in your dependency tree.

How to fix it

Run `npm audit` to identify and fix vulnerable dependencies. Audit and fix vulnerable dependencies:
bash 
npm audit --production         # check production deps only
npm audit fix                  # auto-fix compatible updates
npm install lodash@latest      # manually update a package
Block deploys with vulnerabilities in CI/CD:
json 
{
  "scripts": {
    "pretest": "npm audit --audit-level=high --production"
  }
}
For major version updates that may have breaking changes, review the changelog and test thoroughly. Use automated dependency update tools like Dependabot (GitHub), Renovate, or Socket.dev to keep dependencies current. Pin exact versions in `package.json` to prevent unexpected updates: `"react": "18.2.0"` instead of `"react": "^18.2.0"`. Replace deprecated libraries with modern alternatives (jQuery -> vanilla JS, Moment.js -> date-fns or Temporal API).

References

AppVet checks No Vulnerable Libraries automatically

Run a free performance scan and get a full report with actionable fixes, including a Fix with AI prompt you can paste into any coding tool.

Run Audit
← All checks