Dependency tabatkins/railroad-diagrams

todo42 · May 22, 2025, 10:36am

I’ve take a deeper look at the dependency report and the Software Bill Of Material (SBOM) for the latest Vaadin Flow version 24.7.5
I saw a CVE for the npm package

 tabatkins/railroad-diagrams

I’m curious why the Vaadin Flow contains such a component ? The dependency report mentioned a package

CycloneDX BOM (GitHub yclonedx/cyclonedx-npm)

which contains the railroad-diagram package. Means that, that in order to create the SBOM, the tabatkins/railroad-diagrams was needed ? ChatGPT mentioned, that maybe some developer tooling need to visualize Vaadin routes and uses those library. Is this true too ?

Kind ragrds
Dominik

knoobie · May 22, 2025, 12:14pm

This sounds more like a bug within the SBOM creation. cyclonedx-npm should only be used / needed to create the SBOM, it’s not mandatory dependency of the application. Nothing within Vaadin uses your mentioned npm package.

todo42 · May 22, 2025, 1:03pm

I suspected that too … I couldn’t imagine that it would be needed for Vaadin flow applications itself.
It’s funny then: the tool for creating the SBOM, which was introduced because of all the vulnerabilities, brings a vulnarability