Dependency: grapesjs >=0.21.13 Depends on vulnerable versions of underscore
Thanks for the report @tiburciomzt The bump was merged and will soon be released.
Read full answer below ↓Question
GrapesJS version
- I confirm to use the latest version of GrapesJS
What browser are you using?
Edge, mozilla
Reproducible demo link
NA
Describe the bug
underscore <=1.13.7
Severity: high
underscore <=1.13.7
Severity: high
Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack - https://github.com/advisories/GHSA-qpx9-hpmf-5gmw
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/underscore
grapesjs >=0.21.13
Depends on vulnerable versions of underscore
node_modules/grapesjs
Code of Conduct
- I agree to follow this project's Code of Conduct
Answers (2)
Thanks for the report @tiburciomzt
The bump was merged and will soon be released.
Thanks for reporting this, @tiburciomzt.
Security and dependency issues are important. The GrapesJS team actively works on keeping dependencies up-to-date.
For you right now:
- Run
npm audit fixto see available patches - Check for a newer GrapesJS version that may have already addressed this
- If available, test the latest stable release before upgrading
- If the vulnerability is critical,
npm audit fix --forceis an option, but test thoroughly
Understanding the risk:
- Review the specific vulnerability details on GitHub Security Advisories
- Not all high-severity issues affect your code path
- Some vulnerabilities only trigger under specific conditions
Staying current:
- Watch for new GrapesJS releases
- Subscribe to security notifications on the repo
- The team prioritizes security updates in their release cycle
Related Questions and Answers
Continue research with similar issue discussions.
Issue #3443
backbone-undo/underscore security advisory
Version: v0.17.3 Are you able to reproduce the bug from the demo?[x] Yes[ ] No What is the expected behavior? See below What is the current...
Issue #6211
Too much recursion
GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Firefox 131.0.2 Reproducible demo link htt...
Issue #5743
XSS vulnerability in iframe attribute src
GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Edge v122 Reproducible demo link https://j...
Issue #5154
TS2416: Property '_up' in type 'PropertyStack' is not assignable to the same property in base type 'PropertyComposite<PropertyStackProps>'
GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? ---- Reproducible demo link https://codesa...
Paid Plugins That Match This Issue
Curated by issue keywords and label relevance to help you ship faster.
Loading paid plugin recommendations...
Check the open-source GrapesJS plugins on GitHub or run a quick search in our free catalog.
Browse free plugins →Premium plugins ship with support, regular updates, and production-ready features — save days of integration work.
Browse premium plugins →Related tutorials
In-depth guides on the same topic.
Tutorial
Find the Right GrapesJS Plugin in Seconds: Smarter Discovery Is Live
We're shipping a set of discovery upgrades. New label filters, a proper compatibility switch for GrapesJS vs Studio, one-click and a smarter sort bar.
Tutorial
AutographJS - Signature Solution for Modern Web Editors
The Problem: Signature Capture Is Still Harder Than It Should Be
Tutorial
ScribeJS: Lightweight Inline Rich Text Editor
In the world of web development, rich text editors often feel bulky, slow, and difficult to integrate.
Browse Plugin Categories
Jump directly to plugin category pages on the marketplace.