The latest released version of JointJS is supported.

Please email security@client.io, and we will respond as quickly as possible.

If the vulnerability is considered valid and accepted, a patch will be made for the latest JointJS version. If the vulnerability is deemed invalid, no further action is required.