I wrote an answer to the same question posted here: Vaadin 24.8.3, how can we make sure it does not contains hijacked packages? - #3 by Tatu2
The the packages infected generally were something that are more used in the build time and not in actual frontend bundles. It looks like that those are not being used by Vaadin in the frontend. But our development teams is double checking this.