Hi team,
I’m using Jmix and recently upgraded to the latest version (2.7.1). During our SCA scan, we found a critical vulnerability related to Highcharts 9.2.2, with a recommendation to upgrade it to 10.3.0.
The dependency is appearing inside the JAR produced by the application:
application/build/libs/my-app.jar
└── BOOT-INF/lib/vaadin-dev-bundle-24.9.2.jar
└── vaadin-dev-bundle/package-lock.json → highcharts: 9.2.2
This seems to be bundled as part of Vaadin Dev Bundle 24.9.2, not something directly defined in my project’s package.json or dependencies.
Could you please advise on:
- Whether this Highcharts version is expected in Vaadin 24.9.2?
- If there is a way to override or upgrade this transitive dependency?
- Whether an updated Vaadin or Jmix version will include a fixed Highcharts version (10.3.0 or later)?
Thanks in advance for your guidance!