Is Jmix (or Cuba) affected by ongoing npm software supply chain attack?

bart · September 24, 2025, 7:23am

Hi Jmix team,

another development team in our company (they are NOT using Jmix or Cuba) have found that they are vulnerable to the current npm attacks (S1ngularity, Shai-Hulud, see Ongoing npm Software Supply Chain Attack Exposes New Risks ) in that there were corrupted versions of npm packages included in their latest builds. So now they want to know if our project is affected, too. Our team have several different projects, using Cuba and Jmix 1 & 2. We do not have any npm depenpendencies in our project at all, but we would like to know if the Cuba/Jmix framework may be at risk, since I believe you do use npm during the build process of the framework (maybe in the Vaadin-part)? Could you shed some light on this topic?

Kind regards,
Bart

gorelov · September 24, 2025, 8:54am

Hi,

CUBA and Jmix 1.x do not use any NPM dependencies, Jmix 2.x does. We’ve checked Jmix 2.6 and the upcoming 2.7 and haven’t found any affected versions. Speaking of existing projects that may have package-lock.json or own NPM dependencies, it’s responsibility of a development team to check their project.

Regards,
Gleb

bart · September 24, 2025, 1:22pm

Hi Gleb,

Good to know and thanks for you quick reply!

Bart