Hi, could Vaadin be affected by the latest NPM issue? axios Compromised on npm - Malicious Versions Drop Remote Access Trojan - StepSecurity
I have checked, Vaadin is using “axios”: “^1.13.6” right?
Depends what you have done while it was vulnerable.
I only searched for “axios” in the IDE and found some version numbers. Thats what i thought its used by vaadin
Well… you are using it, if it’s embedded aren’t you?
Depending how it’s configured to be pulled (^ vs exact versioning) and your bad luck / good luck when building you got lucky or not if it’s present in your package (-lock)
Checked with AI :
Rollup’s package.json overrides pin axios to ^1.13.2 for its own sub‑dependencies. But this does not install axios in the project; it is simply a safety measure applied by the Rollup maintainers
So looks fine i thought because i found some places when i searched for “axios” in my IDE, that it gets used by Vaadin.
Its hard to prevent those kinds of problems. If a vaadin update gets released no body knows if there are new dependencies used which maybe have malicsious or other problems.
How do you guys check those kinds of issues, to prevent using a “bad” version?
package-lock.json has to be committed, CI server builds with proper safeguards in place and remote dependency cache / rulebooks
package-lock.json is always comitted
CI Pipelines uses only clean package and nothing else, should be fine
Which Vaadin version you use? Do you use add-ons that might bring npm packages as transitive dependencies?
Vaadin 25.1.1 i dont have axios in node_modules or anywhere else. Only when i search for "axios"in IDE it find it in rollup/package.json the override version for axios with version 1.13.6
Ok, so it is in node_modules/rollup/package.json. Yes it is there, but it is not in package.json or package-lock.json of the project.
Correct there is no entry which has “axios”
We published an advisory related with this: Vaadin Flow and the axios npm supply-chain compromise
1 Like