Backbone-undo/underscore security advisory

I'm also wondering if backbone-undo is needed or can be replaced by something similar. The package hasn't been updated for 6 years

The package hasn't been updated for 6 years

Well, except updating its dependencies (like in this case, for security reason) it's a feature-complete library, there is no need to add/update anything else.

Anyway, this PR seems to fix the security vulnerability at the .lock level but I'm not sure if are kept on a fresh install. I know that yarn has resolutions for such cases but not sure about alternatives in npm.

Thanks for your reply

Anyway, this PR seems to fix the security vulnerability at the .lock level but I'm not sure if are kept on a fresh install.

I think that might fix the version in the main grapejs repo, but I'm not sure it restricts the one imported via backbone-undo.

If you set up a fresh project via

yarn init
yarn add grapesjs

the new yarn.lock will still reference both versions;

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


backbone-undo@^0.2.5:
  version "0.2.5"
  resolved "https://registry.yarnpkg.com/backbone-undo/-/backbone-undo-0.2.5.tgz#55b25230f90319ca622465e89a80248b893c2ce2"
  integrity sha1-VbJSMPkDGcpiJGXomoAki4k8LOI=
  dependencies:
    backbone "1.0.0 - 1.2.1"
    underscore "1.4.4 - 1.8.3"

...

grapesjs@^0.17.4:
  version "0.17.4"
  resolved "https://registry.yarnpkg.com/grapesjs/-/grapesjs-0.17.4.tgz#4baf69598b74a2e58c5133d9ab85631cf4de53e1"
  integrity sha512-oBFCg88KpUKly4LCf+FG42f0kbIKBbkilpyBr+2aggnLRpeSYFv3Db+fQIG+H1Y345QVqKbi/IKEUJe5X0wuiw==
  dependencies:
    backbone "1.3.3"
    backbone-undo "^0.2.5"
    cash-dom "^2.3.9"
    codemirror "^5.58.2"
    codemirror-formatting "^1.0.0"
    keymaster "^1.6.2"
    promise-polyfill "^8.1.3"
    spectrum-colorpicker "^1.8.0"
    underscore "^1.9.1"

...

"[email protected] - 1.8.3":
  version "1.8.3"
  resolved "https://registry.yarnpkg.com/underscore/-/underscore-1.8.3.tgz#4f3fb53b106e6097fcf9cb4109f2a5e9bdfa5022"
  integrity sha1-Tz+1OxBuYJf8+ctBCfKl6b36UCI=

underscore@>=1.7.0, underscore@>=1.8.3, underscore@^1.9.1:
  version "1.13.1"
  resolved "https://registry.yarnpkg.com/underscore/-/underscore-1.13.1.tgz#0c1c6bd2df54b6b69f2314066d65b6cde6fcf9d1"
  integrity sha512-hzSoAVtJF+3ZtiFX0VgfFPHEDRm7Y/QPjGyNo4TVdnDTdft3tr8hEkD25a1jC+TjTuE7tkHGKkhwCgs9dgBB2g==

Thanks for reporting this, @chilled-capybara.

Security and dependency issues are important. The GrapesJS team actively works on keeping dependencies up-to-date.

For you right now:

1. Run npm audit fix to see available patches
2. Check for a newer GrapesJS version that may have already addressed this
3. If available, test the latest stable release before upgrading
4. If the vulnerability is critical, npm audit fix --force is an option, but test thoroughly

Understanding the risk:

• Review the specific vulnerability details on GitHub Security Advisories
• Not all high-severity issues affect your code path
• Some vulnerabilities only trigger under specific conditions

Staying current:

• Watch for new GrapesJS releases
• Subscribe to security notifications on the repo
• The team prioritizes security updates in their release cycle