Skip to content

Acknowledgment from Microsoft - v1.22.2 has new vulnerability issues with npm audit - not impacting SPFx solutions in production #10648

New issue
New issue
Open
Open
Acknowledgment from Microsoft - v1.22.2 has new vulnerability issues with npm audit - not impacting SPFx solutions in production#10648
Assignees
VesaJuvonen
Labels
area:spfxCategory: SharePoint Framework (not extensions related)status:fixed-next-dropIssue planned to be fixed in an upcoming release.type:bug-confirmedConfirmed bug, not working as designed / expected.
@VesaJuvonen

Description

@VesaJuvonen
VesaJuvonen
opened on Feb 13, 2026

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

None

What browser(s) / client(s) have you tested

  • 💥 Internet Explorer
  • 💥 Microsoft Edge
  • 💥 Google Chrome
  • 💥 FireFox
  • 💥 Safari
  • mobile (iOS/iPadOS)
  • mobile (Android)
  • not applicable
  • other (enter in the "Additional environment details" area below)

Additional environment details

SPFx - 1.22.1
Nodejs - 22.14.0

Describe the bug / error

After scaffolding new project with SPFx 1.22.1, npm audit is reporting 3 low vulnerabilities.

Image

GitHub advisory details:

This is a server side vulnerability which is reported as part of the SPFx project installation since project also supports hosting developer environment locally as part of developer experience. This is not a runtime SPFx issue which would be a vulnerability on customer tenant when SPFx based solutions are used by end users.

In case of SPFx - attack vector is DoS on the developer's localhost - accessible only by the developer who could requests assets from the localhost. Security issue exists when the vulnerable package is be used on Node.js server side solutions, which is not the case with SPFx when SPFx solutions are used in production.

Even though this security issue is not impacting customer SPFx solutions which are running in customer tenants, we do acknowledge the importance to avoid any confusion with these reported security issues. As part of the commitment on keep the npm audit logs clean, we are working on addressing this issue with upcoming SPFx 1.22.3 release.

As this issue is not impacting runtime environment (customers using SPFx in production), we will be providing a fix on this within upcoming week(s) and not an urgent patch immediately. We'll provide updates on this issue as comments - as needed. Currently the plan is to publish 1.22.3 on the last week of February with fixes to address these low severity vulnerabilities.

If there are any questions or comments - please add them on this issue and we'll get back to you. Thank you.

Steps to reproduce

  1. Install SPFx 1.22.2
  2. Scaffold a new project
  3. 3 low severity vulnerabilities reported
  4. Run npm audit for details on the reported issues

Expected behavior

No vulnerabilities

Metadata

Metadata

Assignees

Labels

area:spfxCategory: SharePoint Framework (not extensions related)status:fixed-next-dropIssue planned to be fixed in an upcoming release.type:bug-confirmedConfirmed bug, not working as designed / expected.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions