We have executed security scans on all Vaadin versions delivered in the last 3 months, and none of the tools have flagged the use of the vulnerable packages mentioned in npm atack reports.
Additionally, every Vaadin release includes a Software Bill of Materials (SBOM) that lists all dependency versions used at build time. These SBOM files are publicly available on the platform releases page and can be downloaded for verification.
Based on the tool reports and the SBOM contents, we can confirm that no Vaadin JS bundles shipped during this period contain any of the reported vulnerable packages.