Skip to content

Acknowledgment from Microsoft - v1.22.1 has new vulnerability issues with npm audit - not impacting SPFx solutions in production #10563

New issue
New issue
Open
Open
Acknowledgment from Microsoft - v1.22.1 has new vulnerability issues with npm audit - not impacting SPFx solutions in production#10563
Labels
area:spfxCategory: SharePoint Framework (not extensions related)status:trackedCurrently tracked with Microsoft’s internal issue tracking system. DO NOT ADD/REMOVE (MSFT managed)status:working-on-itKnown issue / feature being addressed. Will use other "status:*" labels & comments for more detail.type:bug-confirmedConfirmed bug, not working as designed / expected.
@VesaJuvonen

Description

@VesaJuvonen
VesaJuvonen
opened on Jan 2, 2026

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

None

What browser(s) / client(s) have you tested

  • 💥 Internet Explorer
  • 💥 Microsoft Edge
  • 💥 Google Chrome
  • 💥 FireFox
  • 💥 Safari
  • mobile (iOS/iPadOS)
  • mobile (Android)
  • not applicable
  • other (enter in the "Additional environment details" area below)

Additional environment details

SPFx - 1.22.1
Nodejs - 22.14.0

Describe the bug / error

After scaffolding new project with SPFx 1.22.1, npm audit is reporting 5 high vulnerabilities

Image

GitHub advisory details - GHSA-6rw7-vpxm-498p

This is a server side DoS vulnerability which is reported as part of the SPFx project installation since project also supports hosting developer environment locally as part of developer experience. This is not a runtime SPFx issue which would be a vulnerability on customer tenant when SPFx based solutions are used by end users.

In case of SPFx - attack vector is DoS on the developer's localhost - accessible only by the developer who could cause memory exhaustion to the developer computer. Security issue exists when the vulnerable package is be used on Node.js server side solutions, which is not the case with SPFx when SPFx solutions are used in production.

Even though this security issue is not impacting customer SPFx solutions which are running in customer tenants, we do acknowledge the importance to avoid any confusion with these reported security issues. As part of the commitment on keep the npm audit logs clean, we are working on addressing this issue with upcoming SPFx 1.22.2 release.

As this issue is not impacting runtime environment (customers using SPFx in production), we will be providing a fix on this within upcoming week(s) and not an urgent patch immediately. We'll provide updates on this issue as comments - as needed.

If there are any questions or comments - please add them on this issue and we'll get back to you. Thank you.

Steps to reproduce

  1. Install SPFx 1.22.1
  2. Scaffold a new project
  3. 5 high severity vulnerabilities reported
  4. Run npm audit for details on the reported issues

Expected behavior

No vulnerabilities

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:spfxCategory: SharePoint Framework (not extensions related)status:trackedCurrently tracked with Microsoft’s internal issue tracking system. DO NOT ADD/REMOVE (MSFT managed)status:working-on-itKnown issue / feature being addressed. Will use other "status:*" labels & comments for more detail.type:bug-confirmedConfirmed bug, not working as designed / expected.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions