Legacy Knowledge Base
Published Jul. 2, 2025

Known Vulnerabilities with Liferay Fjord Theme and 1975 London Theme

Written By

Antonio Ortega

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

The following issue may compromise the security of your Liferay Digital Experience Platform implementation. 

Vulnerability Information

The Liferay Fjord Theme and Liferay 1975 London Theme depend on third party libraries that have known vulnerabilities. These vulnerabilities affect the devDependencies in the build only; the deployed code is not affected.

Affected Products

Resolution

Update the affected dependencies listed below: 

Liferay Fjord Theme

Affected library Vulnerability information Resolution
tar-2.2.1 CVE-2018-20834, NPM-803 Upgrade to version 2.2.2 or later
websocket-extensions-0.1.3 CVE-2020-7662, NPM-1710 Upgrade to version 0.1.4 or later
minimist-0.0.10 NPM-1179 Upgrade to versions 0.2.1, 1.2.3 or later
stringstream-0.0.5 NPM-664 Upgrade to version 0.0.6 or later
deep-extend-0.4.2 CVE-2018-3750, NPM-612 Update to version 0.5.1 or later
lodash-4.17.5 CVE-2021-23337, CVE-2020-8203, CVE-2020-28500, CVE-2019-10744, CVE-2019-1010266, CVE-2018-16487, NPM-782, NPM-577, NPM-1673, NPM-1523, NPM-1065 Upgrade to version 4.17.21 or later
handlebars-3.0.3 CVE-2021-23383, CVE-2021-23369, CVE-2019-20920, CVE-2015-8861, NPM-755, NPM-61, NPM-1670, NPM-1325, NPM-1324, NPM-1316, NPM-1300, NPM-1164 Upgrade to version 4.7.7 or later
fstream-1.0.11 CVE-2019-13173, NPM-886 Upgrade to version 1.0.12 or later
extend-3.0.1 NPM-996 Upgrade to version 3.0.2 or later
y18n-3.2.1 NPM-1654 Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later
hosted-git-info-2.6.0 CVE-2021-23362, NPM-1677 Upgrade to version 2.8.9, 3.0.8 or later
js-yaml-3.11.0 NPM-813, NPM-788 Upgrade to version 3.13.1
mixin-deep-1.3.1 CVE-2019-10746, NPM-1013 Upgrade to version 1.3.2 or later
set-value-0.4.3 NPM-1012 Upgrade to version 2.0.1 or later
uglify-js-2.3.6 CVE-2015-8858, CVE-2015-8857, NPM-48, NPM-49 Update to version 2.6.0 or later
cli-0.4.5 NPM-95 Update to version 1.0.0 or later
yargs-parser-5.0.0 CVE-2020-7608, NPM-1500 Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later
trim-newlines-1.0.0 NPM-1753 Upgrade to versions 3.0.1 or 4.0.1 or later
diff-1.4.0 NPM-1631 Upgrade to 3.5.0 or later
concat-with-sourcemaps-1.0.5 NPM-644 Update to version 1.0.6 or later
cryptiles-3.1.2 CVE-2018-1000620, NPM-720, NPM-1464 Update to version 4.1.2 or later
node-sass-3.13.1 CVE-2020-24025, NPM-961 Upgrade to version 4.13.1 or later

Liferay 1975 London Theme

Affected library Vulnerability information Resolution
ua-parser-js-0.7.17 NPM-1679 Upgrade to version 0.7.24 or later
xmlhttprequest-ssl-1.5.3 NPM-1746, NPM-1665 Upgrade to version 1.6.2 or later
http-proxy-1.16.2 NPM-1486 Upgrade to version 1.18.1 or later
bl-0.9.5 NPM-1555 Upgrade to version 4.0.3, 3.0.1, 2.2.1 or 1.2.3
socket.io-1.7.3 NPM-1609 Update to version 2.4.0 or later
node-fetch-1.7.3 NPM-1556 Upgrade to version 2.6.1 or 3.0.0-beta.9
adm-zip-0.4.7 CVE-2018-1002204, NPM-994, NPM-681 Update to version 0.4.9 or later
parsejson-0.0.3 NPM-528 This issue has not been fixed. It is the latest version.
marked-0.3.6 CVE-2017-1000427, NPM-531 Update to version 0.3.9 or later
https-proxy-agent-1.0.0 NPM-593, NPM-1184 Upgrade to version 3.0.0 or 2.2.3
braces-0.1.5 NPM-786 Upgrade to version 2.3.1 or higher
sync-exec-0.5.0 NPM-310 There is currently no direct patch in any newer release
debug-2.2.0 NPM-534 Update to version 2.6.9 or later
acorn-3.3.0 NPM-1488 Upgrade to versions 5.7.4, 6.4.1, 7.1.1 or later
moment-2.0.0 CVE-2017-18214, CVE-2016-4055, NPM-55, NPM-532 Update to version 2.19.3 or later
mime-1.3.6 NPM-535 Update to version 2.0.3 or later
lodash.merge-4.6.0 NPM-1067, NPM-1066 Update to version 4.6.2 or later
deap-1.0.0 CVE-2018-3749, NPM-611 Update to version 1.0.1 or later
growl-1.9.2 NPM-146 Update to version 1.10.2 or later
is-my-json-valid-2.16.0 NPM-572 Update to version 1.4.1, 2.17.2 or later
open-0.0.5 NPM-663 open is now the deprecated opn package. Upgrading to the latest version is likely have unwanted effects since it now has a very different API but will prevent this vulnerability.
ws-1.1.2 NPM-550 Update to version 3.3.1 or later
bower-1.8.0 NPM-776 Update to version 1.8.8 or later
concat-with-sourcemaps-1.0.4 NPM-644 Update to version 1.0.6 or later
Did this article resolve your issue ?

Legacy Knowledge Base