GrapesJS Issues

3,464 parsed GitHub issues 370 solved · 90 open. Search, filter and explore battle-tested answers.

12 issues found

🔍 security
#3443May 7, 2021by chilled-capybara4 answers
0 reactions

Backbone-undo/underscore security advisory

Version: v0.17.3 Are you able to reproduce the bug from the demo?[x] Yes[ ] No What is the expected behavior? See below What is the current behavior? There is a known security vulnerability in one of the versions of underscore used by a nested dependency. The current version of grapejs utilises backbone-undo ^0.2.5 ht...

emyasnikov

I'm also wondering if backbone-undo is needed or can be replaced by something similar. The package hasn't been updated for 6 years

artf

The package hasn't been updated for 6 years Well, except updating its dependencies (like in this case, for security reason) it's a feature-complete library, there is no need to add/update anything else. Anyway, this PR seems to fix the sec...

chilled-capybara

Thanks for your replyAnyway, this PR seems to fix the security vulnerability at the .lock level but I'm not sure if are kept on a fresh install. I think that might fix the version in the main grapejs repo, but I'm not sure it restricts the...

#3332Mar 11, 2021by AmtechInnovarch4 answers
1 reactions

Nearly half the packages specified have high risk vulnerabilities, all have some vulnerability.

After npm i we can see that the level of vulnerabilities is unacceptable. added 646 packages from 383 contributors and audited 762 packages in 7.892s found 724 vulnerabilities (353 low, 23 moderate, 348 high) run npm audit fix to fix them, or npm audit for details I'm trying to fix the problem, at least locally. It wi...

AmtechInnovarch

This is why veteran coders with decades of experience disapprove of JS as a back-end language. Javascript is not intended to be a server side language, and these node packages create vulnerabilities that get servers hacked. This is a serio...

KernelDeimos

GrapesJS has a server-side layer?

KernelDeimos

Javascript is not intended to be a server side language, and these node packages create vulnerabilities that get servers hacked. Are you implying that Javascript is the only language where dependancies can introduce security vulnerabilitie...

Browse all topics