Vulnerable Highcharts.js version 6.1.4 in Vaadin 14 vaadin-charts [2 days]

[mukherjeesudebi]

Description

The vaadin-charts-flow of vaadin-14 uses highcharts.js version 6.1.4 which is vulnerable to to Cross-Site Scripting (XSS).
Currenty getting the below in dependency check

vaadin-charts-6.3.4.jar: highcharts.js (pkg:javascript/highcharts@6.1.4) : Versions of highcharts prior to 7.2.2 or 8.1.1 are vulnerable to Cross-Site Scripting (XSS), CVE-2021-29489
vaadin-charts-6.3.4.jar: highcharts.js (pkg:javascript/highcharts@6.1.4) : Versions of highcharts prior to 7.2.2 or 8.1.1 are vulnerable to Cross-Site Scripting (XSS), CVE-2021-29489

Expected outcome

The vaadin-charts-flow version for vaadin 14 should use the non vulnerable highcharts version 8.2.2
Though as a workaround vaadin-charts-flow version 21.0.9 can be used but the default should use the non vulnerable highcharts version.

Minimal reproducible example

Add the dependency for adding charts

<dependency>
  <groupId>com.vaadin</groupId>
  <artifactId>vaadin-charts-flow</artifactId>
</dependency>

and also the plugin for dependency check

<plugin>
 <groupId>org.owasp</groupId>
 <artifactId>dependency-check-maven</artifactId>
 <version>9.1.0</version>
 <executions>
  <execution>
   <goals>
    <goal>check</goal>
   </goals>
  </execution>
 </executions>
</plugin>

Steps to reproduce

Run

mvn dependency-check:check

Environment

Vaadin version(s): 14.11.7

Browsers

No response

[web-padawan]

Upgrading Highcharts to a major version is a breaking change. Here's the PR where it was done vaadin/vaadin-charts#471

[yuriy-fix]

We need to check the list of reports for the specified HC version and decide on whether we can cover those without bumping major version.

[DiegoCardoso]

Found the security report done by Highcharts related to this issue here.

There, they provide a workaround for those who can't upgrade Highcharts version, which is our case, so I will work on a way to apply it to the component.