Forum Discussion
SPFX supported version for SPSE
Hi Nicolae, we've heard the feedback asking for SharePoint Server Subscription Edition to support newer versions of SharePoint Framework. (Thanks to everyone for sharing your feedback!) I'm afraid it's too early at this stage for us to commit to anything, but this is a request we're actively discussing / exploring.
- sumeetsinghal5688Nov 29, 2022Brass ContributorThanks for mentioning these security vulnerabilities, TroyStarr, we are waiting your response since Sep 2022, looks like On-Premise left orphan and overdose nutrition is provided to cloud products.
- petvalSep 09, 2022Copper Contributor
Hello TroyStarr
another obvious reason that haven't been listed yet are the obvious security risks. Many of the packages used by SPFx 1.4.1 use already vulnerable version that have been long patched in the new version. But we can't use them because we are locked to legacy version.
Here is the result of the XRay alert in our pipeline when building SPFx 1.4.1
[Pipeline] xrayScan
Security Violations
# Severity Component CVE
1 High handlebars:4.1.2 CVE-2021-23369
2 High handlebars:4.1.2
3 High handlebars:4.1.2 CVE-2019-20922
4 High handlebars:4.1.2 CVE-2019-19919
5 High handlebars:4.1.2 CVE-2021-23383
6 High diff:3.2.0
7 High js-yaml:3.13.1 CVE-2021-22150
8 High js-yaml:3.7.0 CVE-2021-22150
9 High lodash:2.4.2 CVE-2021-41720
10 High handlebars:4.1.2
11 High handlebars:4.1.2
12 High js-yaml:3.7.0
13 High lodash:1.0.2 CVE-2021-41720
14 High acorn:5.7.3
15 High handlebars:4.1.2 CVE-2019-20922
16 High handlebars:4.1.2 CVE-2021-23369
17 High handlebars:4.1.2
18 High handlebars:4.1.2
19 High handlebars:4.1.2 CVE-2019-19919
20 High handlebars:4.1.2
21 High acorn:5.7.3
22 High js-yaml:3.13.1 CVE-2021-22150
23 High handlebars:4.1.2
24 High diff:3.2.0
25 High js-yaml:3.7.0
26 High lodash:1.0.2 CVE-2021-41720
27 High js-yaml:3.7.0 CVE-2021-22150
28 High tmpl:1.0.4 CVE-2021-3777
29 High handlebars:4.1.2 CVE-2021-23383
30 High handlebars:4.1.2
31 High lodash:2.4.2 CVE-2021-41720
And as developer I totally hate being locked to the old versions of TS, React. Node etc.
Also some industries have so tight legislative regulations (Swiss banking in my current case) that going to cloud is more difficult on the legal than technical level. So staying on SP2019 will be a security risk now. - TroyStarrAug 25, 2022Microsoft
Nicolae, this is something we're truly interested in, which is why we're exploring it. Unfortunately for a variety of engineering reasons it isn't as simple as it might seem. But please continue to share your needs as that will help us to prioritize the right investments.