BUG: backbone-undo/underscore security advisory

I'm also wondering if backbone-undo is needed or can be replaced by something similar. The package hasn't been updated for 6 years

The package hasn't been updated for 6 years

Well, except updating its dependencies (like in this case, for security reason) it's a feature-complete library, there is no need to add/update anything else.

Anyway, this PR seems to fix the security vulnerability at the .lock level but I'm not sure if are kept on a fresh install. I know that yarn has resolutions for such cases but not sure about alternatives in npm.

Thanks for your reply

Anyway, this PR seems to fix the security vulnerability at the .lock level but I'm not sure if are kept on a fresh install.

I think that might fix the version in the main grapejs repo, but I'm not sure it restricts the one imported via backbone-undo.

If you set up a fresh project via

yarn init
yarn add grapesjs

the new yarn.lock will still reference both versions;

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


backbone-undo@^0.2.5:
  version "0.2.5"
  resolved "https://registry.yarnpkg.com/backbone-undo/-/backbone-undo-0.2.5.tgz#55b25230f90319ca622465e89a80248b893c2ce2"
  integrity sha1-VbJSMPkDGcpiJGXomoAki4k8LOI=
  dependencies:
    backbone "1.0.0 - 1.2.1"
    underscore "1.4.4 - 1.8.3"

...

grapesjs@^0.17.4:
  version "0.17.4"
  resolved "https://registry.yarnpkg.com/grapesjs/-/grapesjs-0.17.4.tgz#4baf69598b74a2e58c5133d9ab85631cf4de53e1"
  integrity sha512-oBFCg88KpUKly4LCf+FG42f0kbIKBbkilpyBr+2aggnLRpeSYFv3Db+fQIG+H1Y345QVqKbi/IKEUJe5X0wuiw==
  dependencies:
    backbone "1.3.3"
    backbone-undo "^0.2.5"
    cash-dom "^2.3.9"
    codemirror "^5.58.2"
    codemirror-formatting "^1.0.0"
    keymaster "^1.6.2"
    promise-polyfill "^8.1.3"
    spectrum-colorpicker "^1.8.0"
    underscore "^1.9.1"

...

"[email protected] - 1.8.3":
  version "1.8.3"
  resolved "https://registry.yarnpkg.com/underscore/-/underscore-1.8.3.tgz#4f3fb53b106e6097fcf9cb4109f2a5e9bdfa5022"
  integrity sha1-Tz+1OxBuYJf8+ctBCfKl6b36UCI=

underscore@>=1.7.0, underscore@>=1.8.3, underscore@^1.9.1:
  version "1.13.1"
  resolved "https://registry.yarnpkg.com/underscore/-/underscore-1.13.1.tgz#0c1c6bd2df54b6b69f2314066d65b6cde6fcf9d1"
  integrity sha512-hzSoAVtJF+3ZtiFX0VgfFPHEDRm7Y/QPjGyNo4TVdnDTdft3tr8hEkD25a1jC+TjTuE7tkHGKkhwCgs9dgBB2g==