Backbone-undo/underscore security advisory
I'm also wondering if backbone-undo is needed or can be replaced by something similar. The package hasn't been updated for 6 years
Read full answer below βQuestion
Version: v0.17.3 Are you able to reproduce the bug from the demo?[x] Yes[ ] No What is the expected behavior? See below What is the current behavior? There is a known security vulnerability in one of the versions of underscore used by a nested dependency. The current version of grapejs utilises backbone-undo ^0.2.5 https://github.com/artf/grapesjs/blob/d7f773202c72710dd787e2ce418c114c9ef81986/package.json#L20 The latest version of which is 0.2.5 via npm Version 0.2.5 of backbone-undo has a fixed limit on the underscore version;"underscore": "1.4.4 - 1.8.3" Which looks to be vulnerable based o...
Answers (4)
I'm also wondering if backbone-undo is needed or can be replaced by something similar. The package hasn't been updated for 6 years
The package hasn't been updated for 6 years Well, except updating its dependencies (like in this case, for security reason) it's a feature-complete library, there is no need to add/update anything else. Anyway, this PR seems to fix the security vulnerability at the .lock level but I'm not sure if a...
Thanks for your replyAnyway, this PR seems to fix the security vulnerability at the .lock level but I'm not sure if are kept on a fresh install. I think that might fix the version in the main grapejs repo, but I'm not sure it restricts the one imported via backbone-undo. If you set up a fresh proje...
Thanks for reporting this, @chilled-capybara. Security and dependency issues are important. The GrapesJS team actively works on keeping dependencies up-to-date. For you right now: Run npm audit fix to see available patches Check for a newer GrapesJS version that may have already addressed this If a...
Related Questions and Answers
Continue research with similar issue discussions.
Issue #6687
Dependency: backbone-undo is deprecated (npm) β any plan to replace/remove?
GrapesJS version 0.22.14 (latest release as of 2025-11-20) What's the expected behavior? No deprecated dependencies in the GrapesJS install...
Issue #6723
Dependency: grapesjs >=0.21.13 Depends on vulnerable versions of underscore
GrapesJS version [x] I confirm to use the latest version of GrapesJS What browser are you using? Edge, mozilla Reproducible demo link NA De...
Issue #5743
XSS vulnerability in iframe attribute src
GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Edge v122 Reproducible demo link https://j...
Issue #3622
I18n functionality
Version: latest Are you able to reproduce the bug from the demo?[] Yes[ ] No What is the expected behavior? to editor.I18n.setLocale("es")...
Paid Plugins That Match This Issue
Curated by issue keywords and label relevance to help you ship faster.
Loading paid plugin recommendations...
Check the open-source GrapesJS plugins on GitHub or run a quick search in our free catalog.
Browse free plugins βPremium plugins ship with support, regular updates, and production-ready features β save days of integration work.
Browse premium plugins βRelated tutorials
In-depth guides on the same topic.
Tutorial
Find the Right GrapesJS Plugin in Seconds: Smarter Discovery Is Live
We're shipping a set of discovery upgrades. New label filters, a proper compatibility switch for GrapesJS vs Studio, one-click and a smarter sort bar.
Tutorial
AutographJS - Signature Solution for Modern Web Editors
The Problem: Signature Capture Is Still Harder Than It Should Be
Tutorial
ScribeJS: Lightweight Inline Rich Text Editor
In the world of web development, rich text editors often feel bulky, slow, and difficult to integrate.
Browse Plugin Categories
Jump directly to plugin category pages on the marketplace.