How to remove hardcoded library version info from minified JS files in Django production?
'm using Django to serve static files in production, and I've noticed that many of the third-party JS libraries (like jQuery, Bootstrap, JSZip, and Moment.js) include hardcoded version numbers inside the minified files.
For example:
/*! jQuery v3.3.1 */
"version": "3.7.1"
[
These version details are accessible to anyone via the browser's DevTools, and I’m concerned this could expose the application to targeted attacks if any of the libraries are outdated.
Questions:
What is the best way to strip or hide these version numbers from minified JS/CSS in a Django production environment?
Should I re-minify third-party libraries myself before using them in Django?
Are there best practices or tools recommended for this kind of hardening?
Thanks!
What is the best way to strip or hide these version numbers from minified JS/CSS in a Django production environment?
If you like, you could use a regexp search-and-replace. But see below...
Should I re-minify third-party libraries myself before using them in Django?
Probably not. But if you bundle your code with something like vite/esbuild/rollup/..., it'll end up happening anyway.
Are there best practices or tools recommended for this kind of hardening?
Trying to hardening front-end libraries by hiding version numbers doesn't really matter.
The backend is where your security needs to happen anyway.