Is Vaadin build affected by attacks on npm packages?

daniel.nuetzler · September 19, 2025, 6:39am

We use Vaadin 24.7.6 with Gradle build. While execution of task vaadinBuildFrontend a lot of npm modules are downloaded and used for build of the frontend javascripts.
Is this build affected by the current attacks on npm packages or are the used versions of npm packes and dependencies fixed and the build uneffected of this attacks?
https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages
https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages

Tatu2 · September 19, 2025, 10:59am

I wrote an answer to the same question posted here: Vaadin 24.8.3, how can we make sure it does not contains hijacked packages? - #3 by Tatu2

The the packages infected generally were something that are more used in the build time and not in actual frontend bundles. It looks like that those are not being used by Vaadin in the frontend. But our development teams is double checking this.

manolo1 · September 20, 2025, 6:16am

We have executed security scans on all Vaadin versions delivered in the last 3 months, and none of the tools have flagged the use of the vulnerable packages mentioned in npm atack reports.

Additionally, every Vaadin release includes a Software Bill of Materials (SBOM) that lists all dependency versions used at build time. These SBOM files are publicly available on the platform releases page and can be downloaded for verification.

Based on the tool reports and the SBOM contents, we can confirm that no Vaadin JS bundles shipped during this period contain any of the reported vulnerable packages.

manolo1 · September 20, 2025, 6:31am

@daniel.nuetzler, as noted in my previous answer, any of our releases do not contain the compromised npm packages even the one you are using. Regarding your security concerns, please note that version 24.7.6 is already outdated. The latest patch in that series is 24.7.11, and patch releases are specifically intended to update dependencies and eliminate reported vulnerabilities.

Because our release model follows the evergreen principle, we strongly recommend keeping your project aligned with the most recent versions. Updating to 24.7.11 will ensure you are covered, but moving to 24.9.0 would be even better.

daniel.nuetzler · September 22, 2025, 9:42am

Thank you for the investigation.

manolo1 · September 26, 2025, 11:16am

We have published and advisory with the details about this matter ADVISORY-2025-09-26: Vaadin Flow, Hilla and the September 2025 npm supply-chain attacks