Category
Bug
Version
- SPFx: 1.23.0
- Node.js: 22.22.2
- pnpm: 11.3.0
Describe the bug
While upgrading SPFx solutions to 1.23.0, I observed that @microsoft/sp-adaptive-card-extension-base@1.23.0 still resolves the transitive dependency swiper@8.4.7.
In environments with vulnerability enforcement and dependency governance, this causes installation issues and requires consumers to maintain dependency overrides as a workaround.
Observed Behavior
The dependency graph resolves:
@microsoft/sp-adaptive-card-extension-base@1.23.0
└── swiper@8.4.7
During installation, the vulnerable Swiper version is still requested as part of the dependency tree.
To complete the installation successfully, an override is required:
pnpm:
overrides:
swiper: 12.1.3
(or another approved non-vulnerable version)
Expected Behavior
SPFx 1.23.0 packages should not depend on vulnerable package versions that require consumers to maintain manual overrides.
Ideally:
- The dependency should be updated to a non-vulnerable Swiper version.
- Or guidance should be provided if the current version is intentionally retained.
Category
Bug
Version
Describe the bug
While upgrading SPFx solutions to 1.23.0, I observed that @microsoft/sp-adaptive-card-extension-base@1.23.0 still resolves the transitive dependency swiper@8.4.7.
In environments with vulnerability enforcement and dependency governance, this causes installation issues and requires consumers to maintain dependency overrides as a workaround.
Observed Behavior
The dependency graph resolves:
@microsoft/sp-adaptive-card-extension-base@1.23.0
└── swiper@8.4.7
During installation, the vulnerable Swiper version is still requested as part of the dependency tree.
To complete the installation successfully, an override is required:
pnpm:
overrides:
swiper: 12.1.3
(or another approved non-vulnerable version)
Expected Behavior
SPFx 1.23.0 packages should not depend on vulnerable package versions that require consumers to maintain manual overrides.
Ideally: