Highcharts 9.2.2 vulnerability pulled into all Vaadin 24 projects via @vaadin/bundles

[mattatfeithdotcom]

Summary

All Vaadin 24 projects — including those that do not use vaadin-charts — have highcharts@9.2.2 added to their npm dependency tree. This occurs because @vaadin/bundles (introduced in Vaadin 24) declares highcharts as a direct dependency in its package.json, and @vaadin/bundles is injected into every project's package.json by flow-server at build time.

This issue does not affect Vaadin 23, where @vaadin/bundles did not exist.

Affected versions

• Vaadin 24.x (confirmed on 24.9.12)
• Not present in Vaadin 23.x

Steps to reproduce

1. Create a new Vaadin 24 project with no vaadin-charts dependency
2. Run mvn vaadin:build-frontend (or equivalent Gradle task)
3. Inspect the generated package.json — @vaadin/bundles will be listed
4. Run a dependency scan (e.g. OWASP Dependency-Check, npm audit, or Snyk)
5. highcharts@9.2.2 is flagged as a vulnerable dependency

Root cause

@vaadin/bundles/package.json hardcodes highcharts as a direct dependency:

"highcharts": "9.2.2"

See: https://github.com/vaadin/bundles/blob/main/package.json

flow-server injects @vaadin/bundles into the project's package.json at build time. Excluding vaadin-dev-bundle from Maven does not fix this because the @vaadin/bundles reference is hardcoded in flow-server itself.

Highcharts 9.x has known XSS vulnerabilities. See CVE-2021-29489 and the Highcharts security documentation which states that input filtering for XSS vectors was not present prior to version 9 — and that version 9.2.2 specifically is flagged by security scanners.

Expected behavior

Projects that do not declare a dependency on vaadin-charts should not have highcharts in their npm dependency tree at all. At a minimum, the bundled version of highcharts should be updated to a non-vulnerable release (current stable is 11.x / 12.x).

Current workaround

Add an override to your project's package.json to force resolution to a safe version:

{
  "overrides": {
    "highcharts": "^11.0.0"
  }
}

For pnpm:

{
  "pnpm": {
    "overrides": {
      "highcharts": "^11.0.0"
    }
  }
}

This workaround should not be necessary — it is Vaadin's responsibility to ship a clean, non-vulnerable dependency tree.

Suggested fix

One of the following:

1. Bump highcharts to a non-vulnerable version in @vaadin/bundles/package.json
2. Make highcharts an optional peer dependency so it is only installed when @vaadin/charts is actually used by the project
3. Remove highcharts from @vaadin/bundles entirely and let @vaadin/charts declare its own direct dependency

Prior art

This is a recurring pattern. The same class of issue was reported for Vaadin 14 in vaadin/web-components#7294 (Highcharts 6.1.4, CVE-2021-29489). That was fixed by bumping the bundled version. The underlying architectural issue — bundling a commercial charting library into a shared bundle that is injected into all projects — has not been addressed.

[Artur-]

Projects that do not declare a dependency on vaadin-charts should not have highcharts in their npm dependency tree at all.

This is fixed in Vaadin 25 where @vaadin/bundles is not used anymore

[mattatfeithdotcom]

Is there a way to fix this for Vaadin 24?