Highcharts 9.2.2 Vulnerability in Vaadin Dev Bundle (Jmix 2.7.1)

deepakhoonmrt92 · November 19, 2025, 9:03pm

Hi team,

I’m using Jmix and recently upgraded to the latest version (2.7.1). During our SCA scan, we found a critical vulnerability related to Highcharts 9.2.2, with a recommendation to upgrade it to 10.3.0.

The dependency is appearing inside the JAR produced by the application:
application/build/libs/my-app.jar
└── BOOT-INF/lib/vaadin-dev-bundle-24.9.2.jar
└── vaadin-dev-bundle/package-lock.json → highcharts: 9.2.2

This seems to be bundled as part of Vaadin Dev Bundle 24.9.2, not something directly defined in my project’s package.json or dependencies.

Could you please advise on:

Whether this Highcharts version is expected in Vaadin 24.9.2?
If there is a way to override or upgrade this transitive dependency?
Whether an updated Vaadin or Jmix version will include a fixed Highcharts version (10.3.0 or later)?

Thanks in advance for your guidance!

deepakhoonmrt92 · November 21, 2025, 9:09am

can you please help on this.

i.gavrilov · November 24, 2025, 11:57am

Hi,

This version of highcharts is expected for Vaadin 24.9.2+.
Within fix releases of Jmix 2.7 we will update Vaadin to latest 24.9.x version.
Next “big” Jmix release will use Vaadin 25 (which should use highcharts 12+).

Highcharts is not used by Jmix - it’s a part of Vaadin Charts commercial component.
If you don’t explicitly buy and use it, you can try force new version of highchart by creating a “fake” component. Create class somewhere in your project and add annotation (you can try different versions):

import com.vaadin.flow.component.dependency.NpmPackage:

@NpmPackage(value = "highcharts", version = "10.3.0")
public class HighchartsDependency {
}

After that effective package-lock will contain updated version.
Most likely it will break the Vaadin Charts so if you actually use it - don’t think we can do anything with version in this case.

And also this approach still has a risk that some transitive dependency of updated package may affect other components. But in this specific case I don’t expect such kind of issues, because highcharts doesn’t have its own dependencies.

Regards,
Ivan