Issue #3443πŸ’¬ AnsweredOpened May 7, 2021by chilled-capybara0 reactions

Backbone-undo/underscore security advisory

Quick answerby emyasnikov

I'm also wondering if backbone-undo is needed or can be replaced by something similar. The package hasn't been updated for 6 years

Read full answer below ↓

Question

Version: v0.17.3 Are you able to reproduce the bug from the demo?[x] Yes[ ] No What is the expected behavior? See below What is the current behavior? There is a known security vulnerability in one of the versions of underscore used by a nested dependency. The current version of grapejs utilises backbone-undo ^0.2.5 https://github.com/artf/grapesjs/blob/d7f773202c72710dd787e2ce418c114c9ef81986/package.json#L20 The latest version of which is 0.2.5 via npm Version 0.2.5 of backbone-undo has a fixed limit on the underscore version;"underscore": "1.4.4 - 1.8.3" Which looks to be vulnerable based o...

Answers (4)

emyasnikovβ€’ May 11, 2021

I'm also wondering if backbone-undo is needed or can be replaced by something similar. The package hasn't been updated for 6 years

artfβ€’ May 18, 2021

The package hasn't been updated for 6 years Well, except updating its dependencies (like in this case, for security reason) it's a feature-complete library, there is no need to add/update anything else. Anyway, this PR seems to fix the security vulnerability at the .lock level but I'm not sure if a...

chilled-capybaraβ€’ May 27, 2021

Thanks for your replyAnyway, this PR seems to fix the security vulnerability at the .lock level but I'm not sure if are kept on a fresh install. I think that might fix the version in the main grapejs repo, but I'm not sure it restricts the one imported via backbone-undo. If you set up a fresh proje...

GJSBlockβ€’ May 17, 2026

Thanks for reporting this, @chilled-capybara. Security and dependency issues are important. The GrapesJS team actively works on keeping dependencies up-to-date. For you right now: Run npm audit fix to see available patches Check for a newer GrapesJS version that may have already addressed this If a...

Related Questions and Answers

Continue research with similar issue discussions.

Paid Plugins That Match This Issue

Curated by issue keywords and label relevance to help you ship faster.

View all plugins

Loading paid plugin recommendations...

Free option

Check the open-source GrapesJS plugins on GitHub or run a quick search in our free catalog.

Browse free plugins β†’
Premium option

Premium plugins ship with support, regular updates, and production-ready features β€” save days of integration work.

Browse premium plugins β†’

Related tutorials

In-depth guides on the same topic.

All tutorials β†’

Browse Plugin Categories

Jump directly to plugin category pages on the marketplace.