Showing results for 
Search instead for 
Did you mean: 
New Member

PCF: 2 moderate severity vulnerabilities reported by NPM Audit

Have anyone encountered this issue when I try to build a new PCF control then perform npm install, npm reports 2 moderate vulnerability? 





Performing npm audit points to the glob parent under the pcf-scripts




Steps to recreate

  1. Run "pac init" to create a new pcf (I've tried only field template)
  2. perform "npm install" 

pac version: 1.9.4


Have anyone resolved this? 

Super User
Super User

Yes, I see the same results, but I don't see why you would be concerned: PCFs are not publicly facing sites when deployed: they are stored as a bundle in the webresources collection that has no directly accessible URL. There is no single url path that would render the PCF as a freestanding page, therefore there is no way to hit it with a ddos attack (and even if there were, the attack is on the powerapp that hosts it--not the pcf--and MSFT provides service protection limits to prevent such attacks), so the vulnerability identified is not valid for the way it will be deployed.

Helpful resources

2022 Release Wave 1 760x460.png

2022 Release Wave 1 Plan

Power Platform release plan for the 2022 release wave 1 describes all new features releasing from April 2022 through September 2022.

Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

Users online (1,050)