Dependency: backbone-undo is deprecated (npm) — any plan to replace/remove?
Thanks for reporting this, @rhaarhoff. Security and dependency issues are important. The GrapesJS team actively works on keeping dependencies up-to-date. For you right now: Run npm audit fix to see available patches Check for a newer GrapesJS version that may have already addressed this If available, test the latest s...
Read full answer below ↓Question
GrapesJS version
0.22.14 (latest release as of 2025-11-20)
What's the expected behavior?
No deprecated dependencies in the GrapesJS install tree (or guidance/roadmap on replacing them).
What's the current behavior?
Installing [email protected] emits an npm/pnpm deprecation warning because it depends on [email protected] (deprecated on npm).
Steps to reproduce
- pnpm add [email protected] (or npm i [email protected])
- Observe the deprecation warning for [email protected]
Additional context
- This is not a vulnerability report by itself; it's a maintenance/support risk (supply-chain concern).
- Related historical issue: #3443 addressed the underscore advisory path; this report is specifically about the package deprecation status.
- Question: is there a plan to remove/replace backbone-undo, or should consumers treat this as "won't fix" and ignore the warning?
Answers (1)
Thanks for reporting this, @rhaarhoff.
Security and dependency issues are important. The GrapesJS team actively works on keeping dependencies up-to-date.
For you right now:
- Run
npm audit fixto see available patches - Check for a newer GrapesJS version that may have already addressed this
- If available, test the latest stable release before upgrading
- If the vulnerability is critical,
npm audit fix --forceis an option, but test thoroughly
Understanding the risk:
- Review the specific vulnerability details on GitHub Security Advisories
- Not all high-severity issues affect your code path
- Some vulnerabilities only trigger under specific conditions
Staying current:
- Watch for new GrapesJS releases
- Subscribe to security notifications on the repo
- The team prioritizes security updates in their release cycle
Related Questions and Answers
Continue research with similar issue discussions.
Issue #3443
backbone-undo/underscore security advisory
Version: v0.17.3 Are you able to reproduce the bug from the demo?[x] Yes[ ] No What is the expected behavior? See below What is the current...
Issue #5742
Building on Windows 10+
GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Chrome v122 Reproducible demo link N/A Des...
Issue #6723
Dependency: grapesjs >=0.21.13 Depends on vulnerable versions of underscore
GrapesJS version [x] I confirm to use the latest version of GrapesJS What browser are you using? Edge, mozilla Reproducible demo link NA De...
Issue #5743
XSS vulnerability in iframe attribute src
GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Edge v122 Reproducible demo link https://j...
Paid Plugins That Match This Issue
Curated by issue keywords and label relevance to help you ship faster.
Loading paid plugin recommendations...
Check the open-source GrapesJS plugins on GitHub or run a quick search in our free catalog.
Browse free plugins →Premium plugins ship with support, regular updates, and production-ready features — save days of integration work.
Browse premium plugins →Related tutorials
In-depth guides on the same topic.
Tutorial
Find the Right GrapesJS Plugin in Seconds: Smarter Discovery Is Live
We're shipping a set of discovery upgrades. New label filters, a proper compatibility switch for GrapesJS vs Studio, one-click and a smarter sort bar.
Tutorial
AutographJS - Signature Solution for Modern Web Editors
The Problem: Signature Capture Is Still Harder Than It Should Be
Tutorial
ScribeJS: Lightweight Inline Rich Text Editor
In the world of web development, rich text editors often feel bulky, slow, and difficult to integrate.
Browse Plugin Categories
Jump directly to plugin category pages on the marketplace.