The 1.0 version contains a dependency to the infamous log4j-core 2.x. If you happen to be using this add-on, be sure you have overridden log4j to non-vulnerable version! https://vaadin.com/blog/vaadin-and-remote-code-injection-in-log4j
Thanks for noticing! Good catch!
Thanks for the quick update! According to our analysis, none of the 993 Vaadin Java extensions we analyzed now bring in the vulnerable Log4J library.