Skip to content

chore: pin vaadin-themable-mixin in versions.json (25.2) (#9109) (CP: 25.1)#9131

Merged
manolo merged 2 commits into
25.1from
cherry-pick-9109-to-25.1-1783609193848
Jul 10, 2026
Merged

chore: pin vaadin-themable-mixin in versions.json (25.2) (#9109) (CP: 25.1)#9131
manolo merged 2 commits into
25.1from
cherry-pick-9109-to-25.1-1783609193848

Conversation

@vaadin-bot

Copy link
Copy Markdown
Contributor

This PR cherry-picks changes from the original PR #9109 to branch 25.1.

Original PR description

Summary

Add a vaadin-themable-mixin entry to the core section of versions.json, pinning @vaadin/vaadin-themable-mixin to 25.2.0 alongside its sibling base packages (@vaadin/component-base, @vaadin/a11y-base, @vaadin/overlay), which are already listed there.

Context

@vaadin/vaadin-themable-mixin was the only core base web component package missing from versions.json, so it was left unpinned. This aligns it with the convention of listing all components. The entry is placed in the core section so it is emitted into vaadin-core-versions.json.

This is a consistency change. It is not the fix for the breadcrumbs bundle failure on 25.2, which is being addressed separately by backporting the Breadcrumbs React wrappers to the @vaadin/react-components 25.2 branch.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Dependencies Report

  • 🚫 Vulnerabilities:

  • 🟠 Known Vulnerabilities:

    • Vulnerabilities in: pkg:npm/%40opentelemetry/core@1.9.0 [CVE-2026-54285] (osv-bomber)
      👌 Not affected: @opentelemetry/core is a transitive dep of the browser Web SDK and is used only to ORIGINATE spans. The vulnerable W3CBaggagePropagator.extract() (inbound untrusted baggage parsing) is never on the execution path. vulnerable_code_not_in_execute_path.
      ·
    • Vulnerabilities in: pkg:npm/esbuild@0.27.7 [GHSA-g7r4-m6w7-qqqr] (osv-bomber)
      👌 In flow, esbuild 0.27.7 is pulled in only as a transitive dependency of Vite (vite@7.3.5), declared in:flow-server/src/main/resources/com/vaadin/flow/server/frontend/dependencies/vite/package.json & vaadin-dev-server/package.json (vite@7.3.2)Vite uses esbuild purely as a library — for dependency pre-bundling and TS/JSX transforms. Vite's dev server is its own Node/connect-based HTTP server; it never starts esbuild's serve feature, which is the only code path the advisory touches. Vaadin in turn runs Vite as the dev server (ViteHandler $
      ightarrow$ vite executable, vite build for production), so esbuild's vulnerable serve path is never exercised.So even on Windows dev machines, the attack surface (esbuild's own --servedir server) is simply not in use.
      ·
    • Vulnerabilities in: pkg:npm/%40opentelemetry%2Fcore@1.8.0 [CVE-2026-54285] (osv-scan)
      👌 Not affected: @opentelemetry/core is a transitive dep of the browser Web SDK and is used only to ORIGINATE spans. The vulnerable W3CBaggagePropagator.extract() (inbound untrusted baggage parsing) is never on the execution path. vulnerable_code_not_in_execute_path.
      ·
    • Vulnerabilities in: pkg:npm/%40opentelemetry%2Fcore@1.9.0 [CVE-2026-54285] (osv-scan)
      👌 Not affected: @opentelemetry/core is a transitive dep of the browser Web SDK and is used only to ORIGINATE spans. The vulnerable W3CBaggagePropagator.extract() (inbound untrusted baggage parsing) is never on the execution path. vulnerable_code_not_in_execute_path.
      ·
    • Vulnerabilities in: pkg:maven/me.friwi/jcef-api@jcef-ca49ada%2Bcef-135.0.20%2Bge7de5c3%2Bchromium-135.0.7049.85 [CVE-2024-21639, CVE-2024-21640, CVE-2024-9410] (owasp)
      👌 Wait for the update from the jcefmaven community. Meanwhile the swing-kit is supposed to be used with fixed websites and not to browse the internet, we have a check for that, so the only possible attacker would be the same person that created the swing application, aka our customer devs. so this vulnerability is not classified by us as critical issue
      · cpe:2.3:a:chromiumembedded:chromium_embedded_framework::::::::
      · cpe:2.3:a:ada:ada::::::::
    • Vulnerabilities in: pkg:maven/com.vaadin/vaadin-swing-kit-flow@3.0.1 [CVE-2021-33604] (owasp)
      👌 false report: this CVE is targeting Vaadin version prior 20, swing-kit-flow is using vaadin 24+ version, the related issue has been fixed.
      · cpe:2.3:a:vaadin:flow-server::::::::
      · cpe:2.3:a:vaadin:vaadin::::::::
  • 📔 No Core License Issues

  • 📔 No License Issues

[Click for more Details]

Comment thread versions.json Outdated
@manolo manolo merged commit 38f4c93 into 25.1 Jul 10, 2026
3 of 4 checks passed
@manolo manolo deleted the cherry-pick-9109-to-25.1-1783609193848 branch July 10, 2026 04:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants