How do you upgrade underscore?

Hi, I do not know much about web design at all, but have managed to put together a website using a Hugo template. I received a disconcerting message on GitHub alerting me to “Upgrade underscore to version 1.12.1 or later.”, in order to resolve an apparently serious security vulnerability.

I’m not really sure how to do that! Though I was able to track down the relevant files in repository (GitHub - mvanaman/website), which appear to be:

  • /public/lib/js-sequence-diagrams/underscore-1.8.3.min.js, and
  • /themes/hugo-theme-even/static/lib/js-sequence-diagrams/underscore-1.8.3.min.js

I think I’ve figured out that I should replace this file (or its contents) with the updated one from here, but the role of these files within a Hugo template is mysterious to me and I’m worried it will break something. Is replacing this file (or its contents) the correct thing to do?

Thank you for your time, and apologies in advance if this is an extremely basic question!

You should be able to fix this by dropping in the latest version of underscore-X.X.X.min.js to


Then when Hugo builds your site, it (should) distribute the version found in /website/static/... rather than the version provided by the theme.

Now, I know nothing about this javascript library. There’s a chance that dropping in a newer version will break something - though doing it this way will make it easier to try a newer version without breaking your existing site (if it doesn’t work, just delete the latest version and try an earlier one).

OK - I dropped it in, pushed the changes to my site and nothing broke. Thank you for taking the time to look at this!


That’s interesting…because thinking about it more it should have broken things!

You’ll also need to override the line where the library is loaded:

So I’d do this by making a copy of themes/hugo-theme-even/layouts/partials/scripts.html into /layouts/partials/scripts.html. Then change line 65 to load the updated version of the library (you’ll also need to get a new SHA integrity value - using something like this).

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.