Update flow to 23.4.2

[vaadin-bot]

No description provided.

[github-actions]

Dependencies Report

• 🟠 Known Vulnerabilities:

  • Vulnerabilities in: pkg:npm/railroad-diagrams@1.0.0 [CVE-2024-26467] (oss-bomber)
    👌 This is coming from the tools, @cyclonedx/cyclonedx-npm, we have used for sbom module, FP for us.
    ·
    • Vulnerabilities in: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.14.2 [CVE-2023-35116] (owasp)
      👌 based on the issue this is not a CVE Stack overflow error caused by serialization of Map with cyclic dependency -- NOT CVE FasterXML/jackson-databind#3972
      · cpe:2.3:a:fasterxml:jackson-databind::::::::

• 🚫 Vulnerabilities:

  • Vulnerabilities in: pkg:maven/com.vaadin/vaadin@23.4-SNAPSHOT [CVE-2025-15022, GHSA-c7v7-rqfm-f44j] (osv-bomber,osv-scan)
    ·
    • Vulnerabilities in: pkg:maven/org.apache.commons/commons-lang3@3.12.0 [CVE-2025-48924] (osv-bomber,osv-scan,owasp)
      · cpe:2.3:a:apache:commons_lang::::::::
    • Vulnerabilities in: pkg:maven/com.vaadin/vaadin-upload-flow@23.4.1 [GHSA-94g8-xv23-7656] (osv-bomber)
      ·
    • Vulnerabilities in: pkg:maven/com.vaadin/vaadin-spreadsheet-flow@23.4.1 [CVE-2025-15022] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/commons-fileupload/commons-fileupload@1.5 [CVE-2025-48976] (osv-bomber,osv-scan,owasp)
      · cpe:2.3:a:apache:commons_fileupload::::::::
      · cpe:2.3:a:apache:commons_fileupload:2.0.0:m1::::::
      · cpe:2.3:a:apache:commons_fileupload:2.0.0:m1-rc1::::::
      · cpe:2.3:a:apache:commons_fileupload:2.0.0:m2::::::
      · cpe:2.3:a:apache:commons_fileupload:2.0.0:m2-rc1::::::
      · cpe:2.3:a:apache:commons_fileupload:2.0.0:m3::::::
      · cpe:2.3:a:apache:commons_fileupload:2.0.0:m3-rc1::::::
    • Vulnerabilities in: pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.2 [CVE-2025-52999] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/com.nimbusds/nimbus-jose-jwt@9.37.3 [CVE-2025-53864] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.poi/poi-ooxml@5.2.3 [CVE-2025-31672] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.springframework/spring-websocket@5.3.32 [CVE-2025-41254] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.83 [CVE-2024-56337, CVE-2025-31650, CVE-2025-49124, CVE-2024-50379, CVE-2024-24549, CVE-2025-24813, CVE-2025-31651, CVE-2025-48989, CVE-2025-46701, CVE-2025-48988, CVE-2025-61795, CVE-2025-55754, CVE-2025-49125, CVE-2024-34750, CVE-2025-55752, BIT-tomcat-2024-56337, BIT-tomcat-2025-31650, BIT-tomcat-2025-49124, BIT-tomcat-2024-50379, BIT-tomcat-2024-24549, BIT-tomcat-2025-24813, BIT-tomcat-2025-31651, BIT-tomcat-2025-48989, BIT-tomcat-2025-46701, BIT-tomcat-2025-48988, BIT-tomcat-2025-61795, BIT-tomcat-2025-55754, BIT-tomcat-2025-49125, BIT-tomcat-2024-34750, BIT-tomcat-2025-55752, CVE-2024-52316, CVE-2024-38286, CVE-2025-52434, CVE-2025-52520, CVE-2025-53506, CVE-2025-55668, CVE-2024-23672, CVE-2024-54677] (osv-bomber,osv-scan,owasp)
      · cpe:2.3:a:apache:tomcat::::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone10::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone11::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone12::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone13::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone14::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone15::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone16::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone17::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone18::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone19::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone2::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone20::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone21::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone22::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone23::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone24::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone25::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone3::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone4::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone5::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone6::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone7::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone8::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone9::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone1::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone1::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone10::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone11::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone12::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone13::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone14::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone15::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone16::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone17::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone18::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone19::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone2::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone20::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone3::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone4::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone5::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone6::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone7::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone8::::::
      · cpe:2.3:a:apache:tomcat:10.1.0:milestone9::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone1::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone10::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone11::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone12::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone13::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone14::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone15::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone16::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone17::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone18::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone19::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone2::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone20::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone21::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone22::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone23::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone24::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone25::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone26::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone27::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone3::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone4::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone5::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone6::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone7::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone8::::::
      · cpe:2.3:a:apache:tomcat:9.0.0:milestone9::::::
      · cpe:2.3:a:netapp:ontap_tools:9:::::vmware_vsphere::
      · cpe:2.3:a:apache:tomcat:9.0.0:-::::::
      ·
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone26::::::
      · cpe:2.3:a:netapp:ontap_tools:10:::::vmware_vsphere::
    • Vulnerabilities in: pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket@9.0.83 [CVE-2024-23672, BIT-tomcat-2024-23672] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.springframework/spring-web@5.3.32 [CVE-2024-38809, CVE-2024-22262, CVE-2024-38820, CVE-2016-1000027, CVE-2024-22259, CVE-2024-38808] (osv-bomber,osv-scan,owasp)
      ·
      · cpe:2.3:a:vmware:spring_framework::::::::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
      · cpe:2.3:a:netapp:oncommand_insight:-:::::::*
    • Vulnerabilities in: pkg:maven/org.springframework/spring-core@5.3.32 [CVE-2025-41249, CVE-2024-22259, CVE-2024-38820, CVE-2024-38808] (osv-bomber,osv-scan,owasp)
      ·
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
      · cpe:2.3:a:vmware:spring_framework::::::::
      · cpe:2.3:a:netapp:oncommand_insight:-:::::::*
    • Vulnerabilities in: pkg:maven/org.springframework/spring-webmvc@5.3.32 [CVE-2024-38816, CVE-2024-38819, CVE-2025-41242, CVE-2024-38828] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.springframework/spring-context@5.3.32 [CVE-2024-38820, CVE-2025-22233] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.springframework/spring-expression@5.3.32 [CVE-2024-38808] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/ch.qos.logback/logback-core@1.2.13 [CVE-2025-11226, CVE-2024-12801, CVE-2024-12798, CVE-2026-1225] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.springframework.boot/spring-boot@2.7.18 [CVE-2025-22235] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:npm/vite@3.2.10#packages/vite [CVE-2025-32395, CVE-2025-31125, CVE-2024-45812, CVE-2025-46565, CVE-2025-62522, CVE-2024-45811, CVE-2025-58751, CVE-2025-58752, CVE-2025-24010, CVE-2025-30208, CVE-2025-31486] (osv-bomber)
      ·
    • Vulnerabilities in: pkg:npm/path-to-regexp@2.4.0 [CVE-2024-45296] (osv-bomber,oss-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:npm/esbuild@0.15.18 [GHSA-67mh-4wv8-2f99] (osv-bomber)
      ·
    • Vulnerabilities in: pkg:npm/async@3.2.2 [CVE-2024-39249] (oss-bomber)
      ·
    • Vulnerabilities in: pkg:npm/libxmljs2@0.37.0 [CVE-2024-34393, CVE-2024-34394] (oss-bomber)
      ·
    • Vulnerabilities in: pkg:maven/com.vaadin/vaadin-server@23.4.1 [CVE-2025-15022] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/com.vaadin/vaadin@23.4.1 [CVE-2025-15022] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/com.vaadin/vaadin-server@23.4-SNAPSHOT [CVE-2025-15022] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/com.vaadin/vaadin-spreadsheet-flow@23.4-SNAPSHOT [CVE-2025-15022] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.commons/commons-fileupload2-core@1.5 [CVE-2025-48976] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/commons-lang/commons-lang@3.12.0 [CVE-2025-48924] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.83 [BIT-tomcat-2024-56337, CVE-2024-56337, BIT-tomcat-2025-49124, CVE-2025-49124, BIT-tomcat-2024-50379, CVE-2024-50379, BIT-tomcat-2025-24813, CVE-2025-24813, BIT-tomcat-2025-31651, CVE-2025-31651, BIT-tomcat-2025-46701, CVE-2025-46701, BIT-tomcat-2025-48988, CVE-2025-48988, BIT-tomcat-2025-61795, CVE-2025-61795, BIT-tomcat-2025-55754, CVE-2025-55754, BIT-tomcat-2025-49125, CVE-2025-49125, BIT-tomcat-2025-55752, CVE-2025-55752] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.tomcat/tomcat-embed-core@9.0.83 [BIT-tomcat-2024-56337, CVE-2024-56337] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.tomcat/tomcat-coyote@9.0.83 [BIT-tomcat-2025-31650, CVE-2025-31650, BIT-tomcat-2024-24549, CVE-2024-24549, BIT-tomcat-2025-48989, CVE-2025-48989, BIT-tomcat-2024-34750, CVE-2024-34750] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.tomcat/tomcat@9.0.83 [BIT-tomcat-2025-49124, CVE-2025-49124, BIT-tomcat-2025-61795, CVE-2025-61795, BIT-tomcat-2025-55754, CVE-2025-55754, BIT-tomcat-2025-55752, CVE-2025-55752] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.tomcat/tomcat-websocket@9.0.83 [BIT-tomcat-2024-23672, CVE-2024-23672] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.springframework/spring-webflux@5.3.32 [CVE-2024-38816, CVE-2024-38819] (osv-scan)
      ·
    • Vulnerabilities in: pkg:npm/vite@3.2.10 [CVE-2025-32395, CVE-2025-31125, CVE-2024-45812, CVE-2025-46565, CVE-2025-62522, CVE-2024-45811, CVE-2025-58751, CVE-2025-58752, CVE-2025-24010, CVE-2025-30208, CVE-2025-31486] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.logging.log4j/log4j-api@2.18.0 [CVE-2025-68161] (owasp)
      · cpe:2.3:a:apache:log4j::::::::
      · cpe:2.3:a:apache:log4j:2.0:-::::::
      · cpe:2.3:a:apache:log4j:2.0:beta9::::::
      · cpe:2.3:a:apache:log4j:2.0:rc1::::::
      · cpe:2.3:a:apache:log4j:2.0:rc1-rc1::::::
      · cpe:2.3:a:apache:log4j:2.0:rc2::::::
    • Vulnerabilities in: pkg:maven/org.apache.poi/poi@5.2.3 [CVE-2025-31672] (owasp)
      · cpe:2.3:a:apache:poi::::::::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
      · cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::

• 🟠 Changes in 23.4-SNAPSHOT since V23.4.1

  • 12 packages removed (12 external, 0 vaadin)
  • 9 packages added (9 external, 0 vaadin)
  • 192 packages modified (173 external, 19 vaadin)
  • 603 packages same (446 external, 157 vaadin)

[Click for more Details]