Showing results for 
Search instead for 
Did you mean: 
New Member

PCF: 2 moderate severity vulnerabilities reported by NPM Audit

Have anyone encountered this issue when I try to build a new PCF control then perform npm install, npm reports 2 moderate vulnerability? 





Performing npm audit points to the glob parent under the pcf-scripts




Steps to recreate

  1. Run "pac init" to create a new pcf (I've tried only field template)
  2. perform "npm install" 

pac version: 1.9.4


Have anyone resolved this? 

Super User
Super User

Yes, I see the same results, but I don't see why you would be concerned: PCFs are not publicly facing sites when deployed: they are stored as a bundle in the webresources collection that has no directly accessible URL. There is no single url path that would render the PCF as a freestanding page, therefore there is no way to hit it with a ddos attack (and even if there were, the attack is on the powerapp that hosts it--not the pcf--and MSFT provides service protection limits to prevent such attacks), so the vulnerability identified is not valid for the way it will be deployed.

Helpful resources

PA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

This training provides practical hands-on experience in creating Power Apps solutions in a full-day of instructor-led App creation workshop.


New Release Planning Portal (Preview)

Check out our new release planning portal, an interactive way to plan and prepare for upcoming features in Power Platform.

Users online (2,593)