diff --git a/changes/en-us/develop.md b/changes/en-us/develop.md
index 7ebad829639..37913bbcb4c 100644
--- a/changes/en-us/develop.md
+++ b/changes/en-us/develop.md
@@ -22,6 +22,7 @@ Add changes here for all PR submitted to the develop branch.
 - [[#4761](https://github.com/seata/seata/pull/4761)] use hget replace hmget because only one field
 - [[#4414](https://github.com/seata/seata/pull/4414)] exclude log4j dependencies
 - [[#4836](https://github.com/seata/seata/pull/4836)] optimize BaseTransactionalExecutor#buildLockKey(TableRecords rowsIncludingPK) method more readable
+- [[#4865](https://github.com/seata/seata/pull/4865)] fix some security vulnerabilities in GGEditor
 
 ### test:
 - [[#4794](https://github.com/seata/seata/pull/4794)] try to fix the test `DataSourceProxyTest.getResourceIdTest()`
diff --git a/changes/zh-cn/develop.md b/changes/zh-cn/develop.md
index f40ee88afde..5d5a7145df7 100644
--- a/changes/zh-cn/develop.md
+++ b/changes/zh-cn/develop.md
@@ -22,6 +22,7 @@
 - [[#4761](https://github.com/seata/seata/pull/4761)] 使用 hget 代替 RedisLocker 中的 hmget, 因为只有一个 field
 - [[#4414](https://github.com/seata/seata/pull/4414)] 移除log4j依赖
 - [[#4836](https://github.com/seata/seata/pull/4836)] 优化 BaseTransactionalExecutor#buildLockKey(TableRecords rowsIncludingPK) 方法可读性
+- [[#4865](https://github.com/seata/seata/pull/4865)] 修复 Saga 可视化设计器 GGEditor 安全漏洞
 
 ### test：
 - [[#4794](https://github.com/seata/seata/pull/4794)] 重构代码，尝试修复单元测试 `DataSourceProxyTest.getResourceIdTest()`
diff --git a/saga/seata-saga-statemachine-designer/README.md b/saga/seata-saga-statemachine-designer/README.md
index f47207905c1..9f86bd1839d 100644
--- a/saga/seata-saga-statemachine-designer/README.md
+++ b/saga/seata-saga-statemachine-designer/README.md
@@ -16,7 +16,7 @@ $ npm start
 ## build a package
 ```sh
 $ cd saga/saga-statemachine-designer
-$ npm build
+$ npm run build
 ```
 
 copy 'index.html' and 'dist' directory to static html directory of web server
diff --git a/saga/seata-saga-statemachine-designer/README.zh-CN.md b/saga/seata-saga-statemachine-designer/README.zh-CN.md
index 61be6065728..a056180a54f 100644
--- a/saga/seata-saga-statemachine-designer/README.zh-CN.md
+++ b/saga/seata-saga-statemachine-designer/README.zh-CN.md
@@ -16,7 +16,7 @@ $ npm start
 ## 打包
 ```sh
 $ cd saga/saga-statemachine-designer
-$ npm build
+$ npm run build
 ```
 
 然后将index.html和dist目录拷贝到web server的静态页面目录下
diff --git a/saga/seata-saga-statemachine-designer/index.html b/saga/seata-saga-statemachine-designer/index.html
index e42c917871b..058fc84d0a8 100644
--- a/saga/seata-saga-statemachine-designer/index.html
+++ b/saga/seata-saga-statemachine-designer/index.html
@@ -6,16 +6,16 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="ie=edge">
   <title>Seata Saga StateMachine Designer</title>
-  <link rel="stylesheet" href="http://g.alicdn.com/code/lib/antd/3.16.1/antd.min.css">
+  <link rel="stylesheet" href="//g.alicdn.com/code/lib/antd/3.16.1/antd.min.css">
 </head>
 
 <body>
   <div id="root"></div>
-  <script src="http://g.alicdn.com/code/lib/react/16.8.6/umd/react.production.min.js"></script>
-  <script src="http://g.alicdn.com/code/lib/react-dom/16.8.6/umd/react-dom.production.min.js"></script>
-  <script src="http://g.alicdn.com/code/lib/react-router-dom/5.0.0/react-router-dom.min.js"></script>
-  <script src="http://g.alicdn.com/code/lib/moment.js/2.24.0/moment.min.js"></script>
-  <script src="http://g.alicdn.com/code/lib/antd/3.16.1/antd.min.js"></script>
+  <script src="//g.alicdn.com/code/lib/react/16.8.6/umd/react.production.min.js"></script>
+  <script src="//g.alicdn.com/code/lib/react-dom/16.8.6/umd/react-dom.production.min.js"></script>
+  <script src="//g.alicdn.com/code/lib/react-router-dom/5.0.0/react-router-dom.min.js"></script>
+  <script src="//g.alicdn.com/code/lib/moment.js/2.24.0/moment.min.js"></script>
+  <script src="//g.alicdn.com/code/lib/antd/3.16.1/antd.min.js"></script>
   <script src="./dist/bundle.js"></script>
 </body>
 
diff --git a/saga/seata-saga-statemachine-designer/package-lock.json b/saga/seata-saga-statemachine-designer/package-lock.json
index 942a4b84b3e..1bb7869df98 100644
--- a/saga/seata-saga-statemachine-designer/package-lock.json
+++ b/saga/seata-saga-statemachine-designer/package-lock.json
@@ -2090,9 +2090,9 @@
       "dev": true
     },
     "async": {
-      "version": "2.6.3",
-      "resolved": "https://registry.npm.taobao.org/async/download/async-2.6.3.tgz",
-      "integrity": "sha1-1yYl4jRKNlbjo61Pp0n6gymdgv8=",
+      "version": "2.6.4",
+      "resolved": "https://registry.npmjs.org/async/-/async-2.6.4.tgz",
+      "integrity": "sha512-mzo5dfJYwAn29PeiJ0zvwTo04zj8HDJj0Mn8TD7sno7q12prdbnasKJHhkm2c1LgrhlJ0teaea8860oxi51mGA==",
       "dev": true,
       "requires": {
         "lodash": "^4.17.14"
@@ -4554,9 +4554,9 @@
       "dev": true
     },
     "eventsource": {
-      "version": "1.0.7",
-      "resolved": "https://registry.npm.taobao.org/eventsource/download/eventsource-1.0.7.tgz",
-      "integrity": "sha1-j7xyyT/NNAiAkLwKTmT0tc7m2NA=",
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/eventsource/-/eventsource-1.1.1.tgz",
+      "integrity": "sha512-qV5ZC0h7jYIAOhArFJgSfdyz6rALJyb270714o7ZtNnw2WSJ+eexhKtE0O8LYPRsHZHf2osHKZBxGPvm3kPkCA==",
       "dev": true,
       "requires": {
         "original": "^1.0.0"
@@ -6293,9 +6293,9 @@
       }
     },
     "lodash": {
-      "version": "4.17.15",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz",
-      "integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A=="
+      "version": "4.17.21",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
+      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
     },
     "lodash._reinterpolate": {
       "version": "3.0.0",
@@ -9569,9 +9569,9 @@
       "dev": true
     },
     "terser": {
-      "version": "4.8.0",
-      "resolved": "https://registry.npm.taobao.org/terser/download/terser-4.8.0.tgz?cache=0&sync_timestamp=1592448432005&other_urls=https%3A%2F%2Fregistry.npm.taobao.org%2Fterser%2Fdownload%2Fterser-4.8.0.tgz",
-      "integrity": "sha1-YwVjQ9fHC7KfOvZlhlpG/gOg3xc=",
+      "version": "4.8.1",
+      "resolved": "https://registry.npmjs.org/terser/-/terser-4.8.1.tgz",
+      "integrity": "sha512-4GnLC0x667eJG0ewJTa6z/yXrbLGv80D9Ru6HIpCQmO+Q4PfEtBFi0ObSckqwL6VyQv/7ENJieXHo2ANmdQwgw==",
       "dev": true,
       "requires": {
         "commander": "^2.20.0",
@@ -9581,8 +9581,8 @@
       "dependencies": {
         "source-map": {
           "version": "0.6.1",
-          "resolved": "https://registry.npm.taobao.org/source-map/download/source-map-0.6.1.tgz",
-          "integrity": "sha1-dHIq8y6WFOnCh6jQu95IteLxomM=",
+          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+          "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
           "dev": true
         }
       }
@@ -9961,9 +9961,9 @@
       }
     },
     "url-parse": {
-      "version": "1.4.7",
-      "resolved": "https://registry.npm.taobao.org/url-parse/download/url-parse-1.4.7.tgz?cache=0&other_urls=https%3A%2F%2Fregistry.npm.taobao.org%2Furl-parse%2Fdownload%2Furl-parse-1.4.7.tgz",
-      "integrity": "sha1-qKg1NejACjFuQDpdtKwbm4U64ng=",
+      "version": "1.5.10",
+      "resolved": "https://registry.npmjs.org/url-parse/-/url-parse-1.5.10.tgz",
+      "integrity": "sha512-WypcfiRhfeUP9vvF0j6rw0J3hrWrw6iZv3+22h6iRMJ/8z1Tj6XfLP4DsUix5MhMPnXpiHDoKyoZ/bdCkwBCiQ==",
       "dev": true,
       "requires": {
         "querystringify": "^2.1.1",
diff --git a/saga/seata-saga-statemachine-designer/package.json b/saga/seata-saga-statemachine-designer/package.json
index be69633d659..73da2658835 100644
--- a/saga/seata-saga-statemachine-designer/package.json
+++ b/saga/seata-saga-statemachine-designer/package.json
@@ -51,7 +51,7 @@
     "@antv/g6": "^2.2.6",
     "codemirror": "^5.55.0",
     "core-js": "^3.6.5",
-    "lodash": "^4.17.10",
+    "lodash": "^4.17.21",
     "react-codemirror": "^1.0.0"
   },
   "devDependencies": {