chore: update versions.json in 24.9 with latest WC

[vaadin-bot]

No description provided.

[github-actions]

Dependencies Report

• 🚫 Vulnerabilities:

  • Vulnerabilities in: pkg:maven/com.vaadin/vaadin@24.9-SNAPSHOT [CVE-2026-2742] (osv-bomber,osv-scan)
    ·
  • Vulnerabilities in: pkg:maven/com.vaadin/flow-server@24.9-SNAPSHOT [CVE-2026-2742] (osv-bomber,osv-scan)
    ·
  • Vulnerabilities in: pkg:npm/dompurify@3.4.8 [GHSA-vxr8-fq34-vvx9] (osv-bomber)
    ·
  • Vulnerabilities in: pkg:maven/org.springframework.security/spring-security-config@6.5.10 [CVE-2026-40988, CVE-2026-41003, CVE-2026-41694] (owasp)
    · cpe:2.3:a:vmware:spring_security::::::::
  • Vulnerabilities in: pkg:maven/org.springframework.security/spring-security-oauth2-core@6.5.10 [CVE-2026-40988, CVE-2026-41003, CVE-2026-41694] (owasp)
    · cpe:2.3:a:vmware:spring_security::::::::
  • Vulnerabilities in: pkg:maven/com.vaadin/vaadin-core@24.9-SNAPSHOT [CVE-2026-2742, CVE-2026-2741] (owasp)
    · cpe:2.3:a:vaadin:vaadin::::::::

• 🟠 Known Vulnerabilities:

  • Vulnerabilities in: pkg:npm/%40opentelemetry/core@1.9.0 [CVE-2026-54285] (osv-bomber)
    👌 Not affected: @opentelemetry/core is a transitive dep of the browser Web SDK and is used only to ORIGINATE spans. The vulnerable W3CBaggagePropagator.extract() (inbound untrusted baggage parsing) is never on the execution path. vulnerable_code_not_in_execute_path.
    ·
  • Vulnerabilities in: pkg:npm/%40opentelemetry%2Fcore@1.8.0 [CVE-2026-54285] (osv-scan)
    👌 Not affected: @opentelemetry/core is a transitive dep of the browser Web SDK and is used only to ORIGINATE spans. The vulnerable W3CBaggagePropagator.extract() (inbound untrusted baggage parsing) is never on the execution path. vulnerable_code_not_in_execute_path.
    ·
  • Vulnerabilities in: pkg:npm/%40opentelemetry%2Fcore@1.9.0 [CVE-2026-54285] (osv-scan)
    👌 Not affected: @opentelemetry/core is a transitive dep of the browser Web SDK and is used only to ORIGINATE spans. The vulnerable W3CBaggagePropagator.extract() (inbound untrusted baggage parsing) is never on the execution path. vulnerable_code_not_in_execute_path.
    ·
  • Vulnerabilities in: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.3 [CVE-2023-35116] (owasp)
    👌 Not a valid CVE report based on the vendor analysis and research
    · cpe:2.3:a:fasterxml:jackson-databind::::::::
  • Vulnerabilities in: pkg:maven/me.friwi/jcef-api@jcef-ca49ada%2Bcef-135.0.20%2Bge7de5c3%2Bchromium-135.0.7049.85 [CVE-2024-21639, CVE-2024-21640, CVE-2024-9410] (owasp)
    👌 Wait for the update from the jcefmaven community. Meanwhile the swing-kit is supposed to be used with fixed websites and not to browse the internet, we have a check for that, so the only possible attacker would be the same person that created the swing application, aka our customer devs. so this vulnerability is not classified by us as critical issue
    · cpe:2.3:a:chromiumembedded:chromium_embedded_framework::::::::
    · cpe:2.3:a:ada:ada::::::::
  • Vulnerabilities in: pkg:maven/org.jetbrains.kotlin/kotlin-reflect@1.9.20 [CVE-2020-29582] (owasp)
    👌 The impact of this vulnerability is low, instead of taking the risk to break V24 with upgrading kotlin to 2.x, we focus on to not use deprecated API, to not use sensitive data in tests and to clean up the temp folders.
    · cpe:2.3:a:jetbrains:kotlin::::::::
    · cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:::::::*
    · cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
    · cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:::::::*
  • Vulnerabilities in: pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.0 [CVE-2020-29582] (owasp)
    👌 The impact of this vulnerability is low, instead of taking the risk to break V24 with upgrading kotlin to 2.x, we focus on to not use deprecated API, to not use sensitive data in tests and to clean up the temp folders.
    · cpe:2.3:a:jetbrains:kotlin::::::::
    · cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:::::::*
    · cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
    · cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:::::::*
  • Vulnerabilities in: pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.6.20 [CVE-2020-29582] (owasp)
    👌 The impact of this vulnerability is low, instead of taking the risk to break V24 with upgrading kotlin to 2.x, we focus on to not use deprecated API, to not use sensitive data in tests and to clean up the temp folders.
    · cpe:2.3:a:jetbrains:kotlin::::::::
    · cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:::::::*
    · cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
    · cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:::::::*
  • Vulnerabilities in: pkg:maven/io.netty/netty-codec-memcache@4.1.135.Final [CVE-2026-42582] (owasp)
    👌 FP: Based on GHSA-2c5c-chwr-9hqw, the entire 4.1.x branch of Netty does not contain the HTTP/3 codec sub-module or the QpackDecoder class.
    · cpe:2.3:a:netty:netty::::::::
  • Vulnerabilities in: pkg:maven/io.netty/netty-codec-mqtt@4.1.135.Final [CVE-2026-42582] (owasp)
    👌 FP: Based on GHSA-2c5c-chwr-9hqw, the entire 4.1.x branch of Netty does not contain the HTTP/3 codec sub-module or the QpackDecoder class.
    · cpe:2.3:a:netty:netty::::::::
  • Vulnerabilities in: pkg:maven/io.netty/netty-transport@4.1.135.Final [CVE-2026-42582] (owasp)
    👌 FP: Based on GHSA-2c5c-chwr-9hqw, the entire 4.1.x branch of Netty does not contain the HTTP/3 codec sub-module or the QpackDecoder class.
    · cpe:2.3:a:netty:netty::::::::
  • Vulnerabilities in: pkg:javascript/quill@1.3.7 [CVE-2021-3163] (owasp)
    👌 Disputed. Researchers have claimed that this issue is not within the product itself, but is intended behavior in a web browser
    · cpe:2.3:a:slab:quill:4.8.0:::::node.js::
  • Vulnerabilities in: pkg:maven/com.vaadin/vaadin-swing-kit-flow@2.4.2 [CVE-2021-33604] (owasp)
    👌 false report: this CVE is targeting Vaadin version prior 20, swing-kit-flow is using vaadin 24+ version, the related issue has been fixed.
    · cpe:2.3:a:vaadin:flow-server::::::::
    · cpe:2.3:a:vaadin:vaadin::::::::

• 📔 No Core License Issues

• 📔 No License Issues

• 🟠 Changes in 24.9-SNAPSHOT since V24.9.18

  • 1 packages removed (1 external, 0 vaadin)
  • 6 packages added (6 external, 0 vaadin)
  • 143 packages modified (73 external, 70 vaadin)
  • 577 packages same (412 external, 165 vaadin)

[Click for more Details]