Gathering detailed insights and metrics for tinymce
Gathering detailed insights and metrics for tinymce
The world's #1 JavaScript library for rich text editing. Available for React, Vue and Angular
Installations
npm install tinymceDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS
Node Version
22.9.0
NPM Version
10.8.3
Score
99.9
Supply Chain
95.1
Quality
92.1
Maintenance
100
Vulnerability
81.3
License
Releases
Unable to fetch releases
Languages
6
TypeScript
HTML
Less
JavaScript
CSS
Makefile
TypeScript (94.52%)
HTML (2.84%)
Less (1.74%)
JavaScript (0.82%)
CSS (0.07%)
Makefile (0.01%)
Developer
Download Statistics
Total Downloads
107,856,906
Last Day
105,609
Last Week
642,482
Last Month
2,647,770
Last Year
31,992,464
GitHub Statistics
NOASSERTION License
15,573 Stars
26,551 Commits
2,291 Forks
259 Watchers
187 Branches
229 Contributors
Updated on May 24, 2025
Bundle Size
437.24 kB
Minified
153.22 kB
Minified + Gzipped
Maintainers
3
Package Meta Information
Latest Version
7.9.0
Package Id
tinymce@7.9.0
Unpacked Size
9.64 MB
Size
1.92 MB
File Count
214
NPM Version
10.8.3
Node Version
22.9.0
Published on
May 15, 2025
Total Downloads
Cumulative downloads
Total Downloads
107,856,906
Last Day
-2.1%
105,609
Compared to previous day
Last Week
1.5%
642,482
Compared to previous week
Last Month
-4.6%
2,647,770
Compared to previous month
Last Year
22.1%
31,992,464
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
No dependencies detected.
TinyMCE
The world's #1 open source rich text editor.
Using an old version of TinyMCE? We recommend you to upgrade to TinyMCE 7 to continue receiving security updates, or consider TinyMCE 5 LTS if you need more time to upgrade.
Used and trusted by millions of developers, TinyMCE is the world’s most customizable, scalable, and flexible rich text editor. We’ve helped launch the likes of Atlassian, Medium, Evernote (and lots more that we can’t tell you), by empowering them to create exceptional content and experiences for their users.
With more than 350M+ downloads every year, we’re also one of the most trusted enterprise-grade open source HTML editors on the internet. There’s currently more than 100M+ products worldwide, powered by Tiny. As a high powered WYSIWYG editor, TinyMCE is built to scale, designed to innovate, and thrives on delivering results to difficult edge-cases.
You can access a full featured demo of TinyMCE in the docs on the TinyMCE website.
Get started with TinyMCE
Getting started with the TinyMCE rich text editor is easy, and for simple configurations can be done in less than 5 minutes.
TinyMCE Cloud Deployment Quick Start Guide
TinyMCE Self-hosted Deployment Guide
TinyMCE provides a range of configuration options that allow you to integrate it into your application. Start customizing with a basic setup.
Configure it for one of three modes of editing:
Features
Integration
TinyMCE is easily integrated into your projects with the help of components such as:
With over 29 integrations, and 400+ APIs, see the TinyMCE docs for a full list of editor integrations.
Customization
It is easy to configure the UI of your rich text editor to match the design of your site, product or application. Due to its flexibility, you can configure the editor with as much or as little functionality as you like, depending on your requirements.
With 50+ powerful plugins available, and content editable as the basis of TinyMCE, adding additional functionality is as simple as including a single line of code.
Realizing the full power of most plugins requires only a few lines more.
Extensibility
Sometimes your editor requirements can be quite unique, and you need the freedom and flexibility to innovate. Thanks to TinyMCE being open source, you can view the source code and develop your own extensions for custom functionality to meet your own requirements.
The TinyMCE API is exposed to make it easier for you to write custom functionality that fits within the existing framework of TinyMCE UI components.
Extended Features and Support
For the professional software teams that require more in-depth efficiency, compliance or collaborative features built to enterprise-grade standards, please get in touch with our team.
Tiny also offers dedicated SLAs and support for professional development teams.
Compiling and contributing
In 2019 the decision was made to transition our codebase to a monorepo. For information on compiling and contributing, see: contribution guidelines.
As an open source product, we encourage and support the active development of our software.
Want more information?
Visit the TinyMCE website and check out the TinyMCE documentation.
License
Licensed under the terms of GNU General Public License Version 2 or later. For full details about the license, please check the LICENSE.md file.
High
0/10
Summary
Cross-site scripting vulnerability in TinyMCE
Affected Versions
>= 5.0.0, < 5.1.4
Patched Versions
5.1.4
High
0/10
Summary
Cross-site scripting vulnerability in TinyMCE
Affected Versions
< 4.9.7
Patched Versions
4.9.7
Moderate
6.1/10
Summary
TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option
Affected Versions
>= 7.0.0, < 7.2.0
Patched Versions
7.2.0
Moderate
6.1/10
Summary
TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option
Affected Versions
>= 6.0.0, < 6.8.4
Patched Versions
6.8.4
Moderate
6.1/10
Summary
TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option
Affected Versions
< 5.11.0
Patched Versions
5.11.0
Moderate
6.1/10
Summary
TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements
Affected Versions
>= 7.0.0, < 7.2.0
Patched Versions
7.2.0
Moderate
6.1/10
Summary
TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements
Affected Versions
>= 6.0.0, < 6.8.4
Patched Versions
6.8.4
Moderate
6.1/10
Summary
TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements
Affected Versions
< 5.11.0
Patched Versions
5.11.0
Moderate
4.3/10
Summary
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes
Affected Versions
< 6.8.1
Patched Versions
6.8.1
Moderate
4.3/10
Summary
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements
Affected Versions
< 7.0.0
Patched Versions
7.0.0
Moderate
6.1/10
Summary
Cross-site scripting vulnerability in TinyMCE
Affected Versions
< 5.9.0
Patched Versions
5.9.0
Moderate
6.1/10
Summary
Cross-site scripting vulnerability in TinyMCE plugins
Affected Versions
< 5.10.0
Patched Versions
5.10.0
Moderate
0/10
Summary
Cross-site scripting vulnerability in TinyMCE
Affected Versions
< 5.6.0
Patched Versions
5.6.0
Moderate
0/10
Summary
Duplicate Advisory: Cross-site scripting vulnerability in TinyMCE
Affected Versions
< 5.6.0
Moderate
0/10
Summary
Duplicate Advisory: Cross-site scripting vulnerability in TinyMCE plugins
Affected Versions
< 5.10.0
Moderate
0/10
Summary
Duplicate Advisory: Cross-site scripting vulnerability in TinyMCE
Affected Versions
< 5.9.0
Patched Versions
5.9.0
Moderate
6.1/10
Summary
TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes
Affected Versions
>= 6.0.0, < 6.7.3
Patched Versions
6.7.3
Moderate
6.1/10
Summary
TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes
Affected Versions
< 5.10.9
Patched Versions
5.10.9
Moderate
6.1/10
Summary
TinyMCE XSS vulnerability in notificationManager.open API
Affected Versions
< 5.10.8
Patched Versions
5.10.8
Moderate
6.1/10
Summary
TinyMCE XSS vulnerability in notificationManager.open API
Affected Versions
>= 6.0.0, < 6.7.1
Patched Versions
6.7.1
Moderate
6.1/10
Summary
TinyMCE mXSS vulnerability in undo/redo, getContent API, resetContent API, and Autosave plugin
Affected Versions
< 5.10.8
Patched Versions
5.10.8
Moderate
6.1/10
Summary
TinyMCE mXSS vulnerability in undo/redo, getContent API, resetContent API, and Autosave plugin
Affected Versions
>= 6.0.0, < 6.7.1
Patched Versions
6.7.1
Moderate
5.4/10
Summary
Cross-site scripting vulnerability in TinyMCE alerts
Affected Versions
< 5.10.7
Patched Versions
5.10.7
Moderate
5.4/10
Summary
Cross-site scripting vulnerability in TinyMCE alerts
Affected Versions
>= 6.0.0, < 6.3.1
Patched Versions
6.3.1
Moderate
0/10
Summary
Cross-site scripting vulnerability in TinyMCE
Affected Versions
< 5.7.1
Patched Versions
5.7.1
Moderate
6.1/10
Summary
Duplicate Advisory: Cross-site scripting in TinyMCE
Affected Versions
>= 5.0.0, < 5.1.4
Patched Versions
5.1.4
Moderate
6.1/10
Summary
Duplicate Advisory: Cross-site scripting in TinyMCE
Affected Versions
< 4.9.7
Patched Versions
4.9.7
Moderate
6.1/10
Summary
Cross-site scripting vulnerability in TinyMCE
Affected Versions
>= 5.0.0, < 5.4.1
Patched Versions
5.4.1
Moderate
6.1/10
Summary
Cross-site scripting vulnerability in TinyMCE
Affected Versions
< 4.9.11
Patched Versions
4.9.11
Moderate
0/10
Summary
XSS in TinyMCE
Affected Versions
>= 5.0.0, < 5.2.2
Patched Versions
5.2.2
Moderate
0/10
Summary
XSS in TinyMCE
Affected Versions
< 4.9.10
Patched Versions
4.9.10
Low
0/10
Summary
Regex denial of service vulnerability in codesample plugin
Affected Versions
< 5.6.0
Patched Versions
5.6.0
Reason
30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
no binaries found in the repo
Reason
project is fuzzed
Details
- Info: TypeScriptPropertyBasedTesting integration found: modules/agar/src/main/ts/ephox/agar/api/Arbitraries.ts:2
- Info: TypeScriptPropertyBasedTesting integration found: modules/agar/src/main/ts/ephox/agar/api/Generators.ts:2
- Info: TypeScriptPropertyBasedTesting integration found: modules/agar/src/main/ts/ephox/agar/arbitrary/ArbChildrenSchema.ts:2
- Info: TypeScriptPropertyBasedTesting integration found: modules/agar/src/main/ts/ephox/agar/arbitrary/ArbContent.ts:3
- Info: TypeScriptPropertyBasedTesting integration found: modules/agar/src/main/ts/ephox/agar/arbitrary/ArbNodes.ts:2
- Info: TypeScriptPropertyBasedTesting integration found: modules/agar/src/main/ts/ephox/agar/arbitrary/ArbSchema.ts:3
- Info: TypeScriptPropertyBasedTesting integration found: modules/agar/src/main/ts/ephox/agar/arbitrary/ArbSchemaTypes.ts:3
- Info: TypeScriptPropertyBasedTesting integration found: modules/agar/src/main/ts/ephox/agar/arbitrary/GenSelection.ts:3
- Info: TypeScriptPropertyBasedTesting integration found: modules/agar/src/main/ts/ephox/agar/arbitrary/PropertySteps.ts:1
- Info: TypeScriptPropertyBasedTesting integration found: modules/agar/src/main/ts/ephox/agar/arbitrary/TagDecorator.ts:1
- Info: TypeScriptPropertyBasedTesting integration found: modules/agar/src/main/ts/ephox/agar/arbitrary/WeightedChoice.ts:2
- Info: TypeScriptPropertyBasedTesting integration found: modules/mcagar/src/main/ts/ephox/mcagar/api/pipeline/TinyScenarios.ts:3
- Info: TypeScriptPropertyBasedTesting integration found: modules/tinymce/src/models/dom/test/ts/atomic/table/TableUtilsTest.ts:3
- Info: TypeScriptPropertyBasedTesting integration found: modules/tinymce/src/plugins/autolink/test/ts/browser/AutoLinkPluginTest.ts:5
- Info: TypeScriptPropertyBasedTesting integration found: modules/tinymce/src/plugins/link/test/ts/atomic/DialogChangesTest.ts:3
- Info: TypeScriptPropertyBasedTesting integration found: modules/tinymce/src/plugins/lists/test/ts/atomic/ListNumberingTest.ts:4
- Info: TypeScriptPropertyBasedTesting integration found: modules/tinymce/src/plugins/lists/test/ts/browser/ListModelTest.ts:5
- Info: TypeScriptPropertyBasedTesting integration found: modules/tinymce/src/plugins/lists/test/ts/browser/RetainContentTest.ts:6
- Info: TypeScriptPropertyBasedTesting integration found: modules/tinymce/src/plugins/lists/test/ts/module/ArbList.ts:2
- Info: TypeScriptPropertyBasedTesting integration found: modules/tinymce/src/plugins/table/test/ts/atomic/UtilsTest.ts:3
- Info: TypeScriptPropertyBasedTesting integration found: modules/tinymce/src/themes/silver/test/ts/atomic/components/sizeinput/SizeInputConvertTest.ts:4
- Info: TypeScriptPropertyBasedTesting integration found: modules/tinymce/src/themes/silver/test/ts/atomic/components/sizeinput/SizeInputConverterTest.ts:5
- Info: TypeScriptPropertyBasedTesting integration found: modules/tinymce/src/themes/silver/test/ts/atomic/components/sizeinput/SizeInputParsingTest.ts:4
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:17
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:18
- Warn: no topLevel permission defined: .github/workflows/codeql.yml:1
- Info: no jobLevel write permissions found
Reason
license file detected
Details
- Info: project has a license file: LICENSE.md:0
- Warn: project license file does not contain an FSF or OSI license.
Reason
SAST tool detected but not run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Warn: 24 commits out of 25 are checked with a SAST tool
Reason
Found 25/30 approved changesets -- score normalized to 8
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/tinymce/tinymce/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/tinymce/tinymce/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/tinymce/tinymce/codeql.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/tinymce/tinymce/codeql.yml/main?enable=pin
- Info: 0 out of 4 GitHub-owned GitHubAction dependencies pinned
Reason
13 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh
- Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42
- Warn: Project is vulnerable to: GHSA-566m-qj78-rww5
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-x7hr-w5r2-h6wg
- Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Score
7.5
/10
Last Scanned on 2025-05-12
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More