Various npm dependencies are integrated via the com.top_logic.umljs module.

Vulnerabilities have been found in several of these dependencies in the meantime:

braces

CVE-2024-4068 | High severity

micromatch

CVE-2024-4067 | Moderate severity

rollup

CVE-2024-47068 | High severity

cross-spawn

CVE-2024-21538 | High severity

serialize-javascript

CVE-2024-11831 | Moderate severity

brace-expansion

CVE-2025-5889 | Low severity

js-yaml

CVE-2025-64718 | Moderate severity

The version of the explicit dependencies rollup and cross-spawn is thus raised manually and the others automatically by compiling with npm.