Vaadin Version 8.14.3-1-jmix has Known Vulnerabilities

sumant.mogaveera · February 10, 2025, 1:46pm

Hi,

I’m currently using Jmix 1.5, which depends on Vaadin 8.14.3-1-jmix. This Vaadin version has several reported vulnerabilities. I need to know how to upgrade to a more secure and stable Vaadin 8 release without undertaking a migration to Vaadin Flow.

Maven URL: https://mvnrepository.com/artifact/com.vaadin/vaadin-root/8.14.3-1-jmix

Screenshot:
Screenshot from 2025-02-10 19-11-08

Thank you for your support!

Version Details :
Jmix version: 1.5.0
Jmix Studio plugin version: 2.0.0-231

gorelov · February 11, 2025, 10:52am

Hi,

I’ve created an issue to update to the latest public Vaadin version.

Regards,
Gleb

sumant.mogaveera · March 11, 2025, 9:52am

Hi,

It’s been about a month since the issue was reported, and I haven’t seen any updates yet. There hasn’t been any movement on the created issue. Could you please let me know by when I can expect a resolution or an update on this issue?

krivopustov · March 13, 2025, 5:42am

Hi Sumant,

We’ll be able to update the Classic UI to the newer Vaadin 8.14 in Jmix 1.7 which will be released by the end of April.

Regards,
Konstantin

adnan.khan · May 30, 2025, 5:55am

hi @krivopustov,

Given that Jmix 1.7 is presently an unstable release, when is its stable version anticipated?

krivopustov · May 30, 2025, 7:49am

It’s on the way. We found a regression in the final build 1.7.0 (JAXB-API has not been found on module path or classpath · Issue #4473 · jmix-framework/jmix · GitHub), so we have to release 1.7.1 and then we’ll announce it.
Will be available next week.

Regards,
Konstantin

krivopustov · June 3, 2025, 12:49pm

Jmix 1.7.1 is ready: Jmix 1.7 released

adnan.khan · July 11, 2025, 8:55am

Hi,

I tried updating jmix version from 1.5.0 to 1.7.1, i am getting AllRecordsExporter error is there is alternate class for this in the upgraded version

cannot find symbol
import io.jmix.gridexportui.exporter.excel.AllRecordsExporter;
                                          ^
  symbol:   class AllRecordsExporter
  location: package io.jmix.gridexportui.exporter.excel

Since i had override the class

public class CustomAllRecordsExporter extends AllRecordsExporter {

adnan.khan · July 12, 2025, 6:56am

@krivopustov any document link to resolve AllRecordsExporter issue

adnan.khan · July 12, 2025, 12:35pm

issue resolved

adnan.khan · July 16, 2025, 7:16am

Hi @krivopustov @gorelov

The vaadin version 8.14.4-1-jmix in jmix 1.7.1 is it vulnerability free. Since i can see 3 to 4vulnerabilty` in that version on maven.

Screenshot from 2025-07-16 12-45-22

krivopustov · July 16, 2025, 8:26am

Hi Adnan,

Vaadin 8.14.4 is the latest freely available version of Vaadin 8, see Releases & Roadmap | Vaadin

Free support for Vaadin 8 ended in February 2022 with version 8.14.4

If you have the extended support from Vaadin, let us know and we will discuss creating a fork with Jmix modifications specifically for your company.

The latest version of Jmix (currently it’s 2.6.0) uses Vaadin 24.7.3 which has no known vulnerabilities at the moment.

Regards,
Konstantin