Every now and then, there’s a security issue in some library that is not directly included by Vaadin but might still be commonly used with Vaadin or even recommended by us. The most recent case is NVD - CVE-2025-24813 which affects Tomcat. While Vaadin doesn’t have a direct dependency on Tomcat, you might still indirectly be using that version through a Spring Boot version that you got from https://start.vaadin.com/. The proper course of action would thus be to update the spring-boot-starter-parent verison in your pom.xml rather than updating vaadin.version.
The question is whether it would be useful to you that we would send out a security advisory for cases like this, or would it be seen as noise or maybe even “crying wolf” to get those kinds of updates from us?
My two cents: Don’t “spam” us with indirect things like this :) That’s not your job (hopefully!)
Only thing that would be a nice to have: If you use something transitive yourself (like Jsoup) → Yes an information would be appreciated (especially for those that can’t update to a Vaadin version with a newser Jsoup version)
If we update a transitive dependency like jsoup due to a security issue, then our practice is indeed to send out an advisory to notify users that they should update to the new Vaadin version or take some other action to mitigate that issue.
On the other hand, we are mainly monitoring the versions used in the latest version of the Vaadin branches that we maintain. This means that we might miss cases where a security issue is announced for an older version that we no longer use. It’s always ultimately up to the application itself to keep track of all the libraries that it’s using, regardless of whether those are direct application dependencies or transitive ones.
Yes, in general it is important to know about any security weaknesses, but it is usually the devs duty to care about such. Therefore we internally run an instance of dependency track and soon integrate “renovate” into gitlab to create jira issues. Will see if it spams us then
Imho it would be to late and therefore would just create spam. Let’s use the mentioned CVE as example. Apache announcement was 8 days ago - people that haven’t reacted by now and are affected got some other problems already…
Only thing where I would think an additional announcement by Vaadin would be justified, would be another Log4Shell lvl of CVE just to spread the information and hopefully the information that Vaadin is not affected
