Vaadin 24.8.3, how can we make sure it does not contains hijacked packages?

There has been two major incidents with npm supply chain within past few weeks. That is naturally something that raises concerns. This is not just a problem for us Vaadin, but an industry wide challenge. What has been communicated is that npm registry has deleted those faulty packages. So if you do the usual “mvn vaadin:clean-frontend” it will delete the node_modules and reset the package-lock.json and thus re-download everything. As a results there should not be infected packages in node_modules anymore. This is something that you can consider doing if you suspect that you have run the build during the time when those infected packages were in the registry or just want to play safe.

2 Likes