Nearly half the packages specified have high risk vulnerabilities, all have some vulnerability.

This is why veteran coders with decades of experience disapprove of JS as a back-end language. Javascript is not intended to be a server side language, and these node packages create vulnerabilities that get servers hacked.

grapesjs$ npm audit fix

changed 1 package, and audited 2026 packages in 3s

# npm audit report

diff  <3.5.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1631
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/diff
  disparity  <=2.0.0
  Depends on vulnerable versions of diff
  node_modules/disparity
    documentation  4.0.0-beta - 13.0.1
    Depends on vulnerable versions of disparity
    Depends on vulnerable versions of yargs
    node_modules/documentation

mem  <4.0.0
Denial of Service - https://npmjs.com/advisories/1084
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/mem
  os-locale  2.0.0 - 3.0.0
  Depends on vulnerable versions of mem
  node_modules/os-locale
    yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
    Depends on vulnerable versions of os-locale
    Depends on vulnerable versions of yargs-parser
    node_modules/yargs
      documentation  4.0.0-beta - 13.0.1
      Depends on vulnerable versions of disparity
      Depends on vulnerable versions of yargs
      node_modules/documentation

yargs-parser  <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
  Depends on vulnerable versions of os-locale
  Depends on vulnerable versions of yargs-parser
  node_modules/yargs
    documentation  4.0.0-beta - 13.0.1
    Depends on vulnerable versions of disparity
    Depends on vulnerable versions of yargs
    node_modules/documentation

7 vulnerabilities (4 low, 3 high)

This is a serious security concern and should be addressed by the developer, or there should be adequate warning in the readme.md that discourages production use without fixing all these vulnerabilities.

Is there a way to only use the client side layer of GrapesJS? Can the developer please identify the client side files?

GrapesJS has a server-side layer?

Javascript is not intended to be a server side language, and these node packages create vulnerabilities that get servers hacked.

Are you implying that Javascript is the only language where dependancies can introduce security vulnerabilities? If there's some trait of Javascript that makes these sort of vulnerabilities more likely you ought to specify this in your statement, otherwise what you're saying is just subjective nonsense.

Thanks for reporting this, @AmtechInnovarch.

Security and dependency issues are important. The GrapesJS team actively works on keeping dependencies up-to-date.

For you right now:

1. Run npm audit fix to see available patches
2. Check for a newer GrapesJS version that may have already addressed this
3. If available, test the latest stable release before upgrading
4. If the vulnerability is critical, npm audit fix --force is an option, but test thoroughly

Understanding the risk:

• Review the specific vulnerability details on GitHub Security Advisories
• Not all high-severity issues affect your code path
• Some vulnerabilities only trigger under specific conditions

Staying current:

• Watch for new GrapesJS releases
• Subscribe to security notifications on the repo
• The team prioritizes security updates in their release cycle