here is the list of hijacked packages. How can we make sure any vaadin version does not contains them?
Check your package-lock.json
1 Like
There has been two major incidents with npm supply chain within past few weeks. That is naturally something that raises concerns. This is not just a problem for us Vaadin, but an industry wide challenge. What has been communicated is that npm registry has deleted those faulty packages. So if you do the usual âmvn vaadin:clean-frontendâ it will delete the node_modules and reset the package-lock.json and thus re-download everything. As a results there should not be infected packages in node_modules anymore. This is something that you can consider doing if you suspect that you have run the build during the time when those infected packages were in the registry or just want to play safe.
2 Likes
npm install will be called when I start my Vaadin application. It will therefore install new versions which might be infected. The second incident with npm could have caused problems on developer machines (if I understands it correctly).
I solution to that is to run npm ci on development, not only for productions build. See Why developers should use npm ci instead of npm install and its benefits â DeployBot Help Center
The ciBuild property in Vaadin Flow is only working for production builds (https://github.com/vaadin/flow/pull/15986). I think it would be great if there was an option to also use it for development builds. Have you considered that?
Nothing will actually be installed from that npm install if you havenât changed pom.xml or package.json as long you have a previous package-lock.json file in place. This means that you would be safe in most cases but not e.g. if starting a new project or doing some affected version update during that time window.
1 Like
If in doubt you could also scan your repository, for example using GitHub - Cobenian/shai-hulud-detect: A simple project to detect the Shai-Hulud npm supply chain attack. Package / vulnerability scanners liky trivy or snyk might also provide alerts when vulnerable packages will be used.
In the other thread (Is Vaadin build affected by attacks on npm packages? - #4 by manolo1) Vaadin team shared that their scanning did not identify any affected packages.
Is this really true?
What about dependency versions in package.json (or dependcies of dependecies that we donât even see in package.json) marked with ^ or ~?
Arenât they updated when we run ânpm installâ? And doesnât that also trigger an update of package-lock.json?
The previous versions remain based on the content in package-lock.json. The only purpose of the package-lock.json file is to record what was chosen for each open dependency range so that the same choice remains there until you change package.json or run something like npm update.
Okay, i think i got it.
As long as package.json ist not touched, package-lock.json will alwas satisfy the package.json. And therfore nothing will be updated in package-lock.json. Thx for your reply :)
There is an advisory explaining what was said here ADVISORY-2025-09-26: Vaadin Flow, Hilla and the September 2025 npm supply-chain attacks