Xojo Web 2.0 and Cyber Resilience Act (CRA) Compliance – Looking for Insights

Targets Web
1

Hi everyone,

I’m currently evaluating a Xojo Web application in the context of the upcoming EU Cyber Resilience Act (CRA), with a focus on:

  • Software Bill of Materials (SBOM)
  • Dependency transparency
  • Vulnerability traceability

As part of this work, I analyzed a Xojo Web application with GPT built with Xojo 2026r1 using:

  • a compiled build
  • and a HAR export from the browser (with caching disabled)
  • and the release notes from xojo

No plugins were referenced in the project, but these plugins are installed:

  • MBS Plugins
  • Einhugur WindowSplitter
  • sqlaps CubeSQLPlugin
  • TextInputCanvas

Normally these should have no impact on Web 2.0 Projects as long as they are not called.

Observed runtime dependencies

From the runtime analysis, I observed the following browser-side components being loaded:

  • Bootstrap 5.3.8
  • Bootstrap Icons 1.13.1
  • jQuery 3.5.1
  • Modernizr 3.12.0
  • bootstrap-datepicker 1.10.0
  • Chart.js 4.2.1
  • chartjs-plugin-labels 3.1.0
  • DataTables 2.3.4
  • MapLibre GL JS 4.7.1
  • html-to-image (version not exposed)
  • ZXing (version not exposed)
  • EventSource polyfill (version not exposed)

For most of these observed versions, I could not identify direct CVEs in the public vulnerability sources I checked. However, some components are older or not fully transparent in terms of versioning.

Observation regarding release notes

According to the Xojo 2026r1 Web release notes, the dependency on Modernizr has been removed.

However, in my runtime analysis of an application built with Xojo 2026r1, I still observe Modernizr 3.12.0 being loaded in the browser.

Given that caching was disabled during the HAR capture, this appears to reflect the actual runtime behavior.

I would like to better understand how this should be interpreted:

  • Is Modernizr still included indirectly via other bundled components?
  • Is there a specific condition under which it is still delivered?
  • Or is there a difference between documented and effective runtime dependencies?

CRA-related considerations

From a CRA perspective, the following aspects are particularly relevant:

  • Having a complete and reliable SBOM
  • Being able to identify all third-party components and their versions
  • Ensuring consistency between documentation and runtime behavior

In my current analysis:

  • Some dependencies are visible only at runtime (HAR), not in documentation
  • Some versions are not clearly identifiable
  • There appears to be at least one mismatch between release notes and runtime behavior

Questions to the community / Xojo team

I would really appreciate any insights on the following:

  1. Is there any official documentation listing all third-party dependencies used in Xojo Web 2.0 (including versions)?

  2. Are there plans to provide an official SBOM for Xojo Web applications?

  3. How should developers approach dependency tracking for compliance purposes (CRA, ISO 21434, etc.) when using Xojo Web?

  4. How should the observed Modernizr behavior be interpreted in the context of the 2026r1 release notes?

  5. Has anyone already worked on CRA or similar compliance requirements with Xojo Web?

  6. Does anyone know about other dependencies not mentionned?

Goal

This is not meant as criticism — I’m trying to understand how to best handle:

  • compliance requirements
  • dependency visibility
  • and audit readiness

when working with Xojo Web.

Any clarification or experience would be greatly appreciated.

Thanks a lot!

CRA Assessment for Xojo Web 2.0 Runtime Dependency Transparency

Product assessed: Xojo Web application
Build used for runtime verification: Xojo 2026r1 build supplied by the requester
Assessment basis: Runtime HAR inspection, supplied build artifact, and Xojo Web release notes from the introduction of Web 2.0 onward

Scope and method

This assessment is based on three inputs:

  1. Runtime evidence from the browser HAR, treated as the primary source for what was actually loaded.
  2. The supplied build artifact.
  3. Xojo’s official Web release notes only, starting with the introduction of Web 2.0 in 2020r1.

This document distinguishes between:

  • confirmed CVEs affecting the observed version
  • no known direct CVEs found for the observed version in checked public sources
  • conflicting or disputed advisory status
  • version unknown, exact CVE matching not possible

Executive summary

The main CRA-relevant issue is not a large number of confirmed client-side CVEs.

The main issues are:

  • incomplete dependency transparency
  • no vendor-provided SBOM for the observed runtime stack
  • several browser-side dependencies not clearly disclosed in Xojo Web release notes
  • a documented mismatch between Xojo 2026r1 release notes and observed runtime behavior regarding Modernizr

Runtime inventory and status

Runtime Dependency Overview (Compact)

Component Version Src CVE Later Xojo Transp
Bootstrap 5.3.8 HAR / RN :white_check_mark: :white_check_mark: :white_check_mark: :green_circle:
Bootstrap Icons 1.13.1 HAR / RN :white_check_mark: :white_check_mark: :white_check_mark: :green_circle:
jQuery 3.5.1 HAR :white_check_mark: :white_check_mark: :cross_mark: :yellow_circle:
Modernizr 3.12.0 HAR / RN :white_check_mark: :white_check_mark: :warning: :red_circle:
Datepicker 1.10.0 HAR / RN :white_check_mark: :white_check_mark: :warning: :yellow_circle:
Chart.js 4.2.1 HAR :white_check_mark: :white_check_mark: :cross_mark: :yellow_circle:
chartjs-plugin-labels 3.1.0 HAR :white_check_mark: :white_check_mark: :cross_mark: :red_circle:
DataTables 2.3.4 HAR :warning: :warning: :cross_mark: :red_circle:
MapLibre GL JS 4.7.1 HAR :white_check_mark: :white_check_mark: :cross_mark: :yellow_circle:
html-to-image ? HAR :red_question_mark: :red_question_mark: :cross_mark: :red_circle:
ZXing ? HAR / RN :red_question_mark: :red_question_mark: :warning: :yellow_circle:
EventSource Polyfill ? HAR :red_question_mark: :warning: :cross_mark: :red_circle:

Legend

Symbol Meaning
:white_check_mark: No known CVEs for this version
:warning: Conflicting / unclear status
:red_question_mark: Version unknown → cannot assess
:cross_mark: Not disclosed in Xojo release notes
:green_circle: High transparency
:yellow_circle: Medium transparency
:red_circle: Low transparency
HAR Browser HAR Export Runtime
RN Release Notes

Bootstrap

  • Observed version: 5.3.8
  • Observed at runtime: Yes
  • Known CVEs for this exact version: None found in checked public package databases
  • Known CVEs in later versions: None found in checked public package databases reviewed
  • Xojo Web release-note status:
    • 2020r1: Web framework updated to support Bootstrap 4
    • 2022r1: Bootstrap updated to 4.6.1
    • 2024r1: Web UI aligned with Bootstrap 5 guidelines
    • 2025r3: Bootstrap updated to 5.3.7
    • 2026r1: Bootstrap updated to 5.3.8
  • Assessment: Low current public CVE pressure; vendor-controlled lifecycle remains relevant for CRA

Bootstrap Icons

  • Observed version: 1.13.1
  • Known CVEs for this exact version: None found
  • Known CVEs in later versions: None found in checked public sources reviewed
  • Xojo Web release-note status:
    • 2020r1: Bootstrap Icons made available in Web
    • 2021r3: updated to 1.5
    • 2023r1: updated to 1.10.3
    • 2025r3: updated to 1.13.1
  • Assessment: Low current public CVE pressure

jQuery

  • Observed version: 3.5.1
  • Known CVEs for this exact version: None found
  • Relevant earlier CVEs:
    • CVE-2020-11022 affects versions before 3.5.0
    • CVE-2020-11023 affects versions before 3.5.0
  • Known CVEs in later versions: None found in checked package-database pages reviewed
  • Xojo Web release-note status: No explicit jQuery version disclosure found in reviewed Xojo Web release notes
  • Assessment: Outdated, but not currently evidenced as directly vulnerable in checked public records

Modernizr

  • Observed version: 3.12.0
  • Known CVEs for this exact version: None found
  • Known CVEs in later versions: None found in checked public sources reviewed
  • Xojo Web release-note status:
    • 2020r1: Modernizr explicitly referenced
    • 2026r1: Xojo states the dependency on Modernizr was removed
  • Assessment: Major transparency finding due to release-note/runtime mismatch

Bootstrap Datepicker

  • Observed version: 1.10.0
  • Known CVEs for this exact version: None found
  • Known CVEs in later versions: None found in checked public sources reviewed
  • Xojo Web release-note status:
    • 2025r3: underlying WebDatePicker library updated from 1.9 to 1.10
  • Assessment: Low current public CVE pressure; at least partially disclosed by vendor

Chart.js

  • Observed version: 4.2.1
  • Known CVEs for this exact version: None found
  • Relevant earlier CVEs:
    • CVE-2020-7746 affects versions before 2.9.4
  • Known CVEs in later versions: None found in checked public sources reviewed
  • Xojo Web release-note status: No explicit Chart.js version disclosure found
  • Assessment: Low current public CVE pressure, but dependency/version not clearly disclosed by vendor

chartjs-plugin-labels

  • Observed version: 3.1.0
  • Known CVEs for this exact version: None found
  • Known CVEs in later versions: None found in checked public sources reviewed
  • Xojo Web release-note status: Not explicitly mentioned
  • Assessment: Low current public CVE pressure; undisclosed dependency

DataTables

  • Observed version: 2.3.4
  • Known CVEs for this exact version: Conflicting public status
  • Notes:
    • CVE-2021-23445 affects versions before 1.11.3 and does not apply to 2.3.4
    • CVE-2020-28458 is described by some public sources as affecting all versions of datatables.net
    • current package-specific pages for datatables.net 2.3.4 may show no direct vulnerabilities
  • Xojo Web release-note status: No explicit DataTables version disclosure found
  • Assessment: Disputed advisory status; requires vendor clarification

MapLibre GL JS

  • Observed version: 4.7.1
  • Known CVEs for this exact version: None found
  • Known CVEs in later versions: None found in checked public sources reviewed
  • Xojo Web release-note status: WebMapViewer features are mentioned, but MapLibre and its version are not explicitly disclosed
  • Assessment: Low current public CVE pressure; undisclosed dependency

html-to-image

  • Observed version: Unknown
  • Known CVEs for exact bundled version: Cannot be determined
  • Package-level status checked: No direct vulnerabilities found in checked public package pages reviewed
  • Xojo Web release-note status: Not explicitly mentioned
  • Assessment: Present, but version not disclosed; exact CVE matching not possible

ZXing

  • Observed version: Unknown
  • Known CVEs for exact bundled version: Cannot be determined
  • Package-level status checked: No direct vulnerabilities found in checked public package pages reviewed
  • Xojo Web release-note status:
    • 2026r1: barcode reading support added for Web
  • Assessment: Functionality disclosed, implementation/version not disclosed

EventSource polyfill / Yaffle EventSource

  • Observed version: Unknown
  • Known CVEs for exact bundled version: Cannot be determined
  • Package-level advisory context: Public advisory history exists for parts of this package line, but applicability to the observed bundled file cannot be confirmed without an exact version
  • Xojo Web release-note status: Not explicitly mentioned
  • Assessment: Medium transparency concern due to unknown exact version

CRA assessment

Main strengths

  • Several observed runtime versions do not currently show direct public CVEs in the checked records
  • Xojo Web release notes do disclose some third-party dependency updates, especially for Bootstrap, Bootstrap Icons, and bootstrap-datepicker

Main weaknesses

  1. Incomplete dependency disclosure
  2. No vendor-provided SBOM
  3. Runtime/documentation mismatch for Modernizr
  4. Unknown exact versions for some bundled libraries
  5. Conflicting public advisory status for DataTables

Corrected risk rating

Exploitable client-side CVE risk

Moderate

Rationale:

  • many observed libraries show no direct CVEs in checked public sources
  • DataTables remains unresolved
  • some exact versions are unknown

CRA readiness

Partial / weak

Rationale:

  • incomplete dependency transparency
  • no official SBOM
  • vendor/runtime mismatch
  • missing exact version disclosure for some runtime components

Recommended statement

Runtime analysis of a Xojo 2026r1 Web application confirmed several third-party browser-side dependencies. For most observed versions, no direct public CVEs were found in the checked vulnerability sources. However, dependency transparency remains insufficient for CRA-grade assurance because Xojo’s Web release notes do not fully disclose all bundled runtime dependencies, several exact versions remain undisclosed, and a 2026r1 runtime still loaded Modernizr despite the 2026r1 release notes stating that the dependency had been removed.

Requested vendor clarifications

  • Official SBOM for Xojo Web runtime
  • Clarification on the Modernizr discrepancy
  • Official browser-side dependency list including versions
  • Clarification on DataTables advisory applicability
4 Likes
CRA Compliance - Feature Request - Official SBOM for Each Xojo Release
2

Hi Daniel, let me try to reply your questions:

As of 2026r1, here is the updated list. Dependencies are always loaded automatically unless specified.

  • The Xojo JavaScript Framework itself that gets updated on each realease
  • Bootstrap 5.3.8
  • Bootstrap Icons 1.31.1
  • Modernizr 3.12.0
  • EventSource Polyfill 1.0.31
  • jQuery 3.5.1
  • jQuery UI 1.14.1
  • Moment.js (only loaded when using WebListBoxDateTimeRenderer)
  • ZXing 0.21.3 (only loaded when using WebBarCode)
  • Chart.js 4.2.1 and Chart.js Labels Plugin 3.1.0 (only loaded when using WebChart)
  • Bootstrap Datepicker 1.10.0 (only loaded when using WebDatePicker)
  • DataTables 2.3.4 (only loaded when using WebListBox)
  • MapLibre 4.7.1 and html-to-image 1.11.13 (only loaded when using WebMapViewer)

It hasn’t been requested, please create a new Feature Request so we can gather interest and provide it.

I guess that can be better replied by other forum users already doing this kind of compliances.

The Xojo framework isn’t using Modernizr internally anymore, but it’s still there and served to allow the deprecated WebSDKControl.BrowserCompatibility method to continue working for a while.

Already answered above.

I hope that helps! Please let me know if you need more information.

5 Likes
3

Thank you so much for the provided information. I’ll file a feature request tomorrow that the provided SBOM should be part of the release notes.

2 Likes
4

These types of reviews are very important to me. Thanks to the fact that security and risk management were instilled in me almost 30 years ago at one of the largest accounting firms.

Thank you for sharing your questions and Ricardo Cruz’s answer.

Behind the company is an interest in risk assessment at XOJO. I suppose.

Are you interested in XOJO Cloud?

5

The server side libraries don’t seem to be listed, are those important for compliance with this act?

Staff members changing (read: adding to) the server side requirements without informing the Web/Cloud team has even caused problems for Xojo Cloud in the past. There was a short period where Lifeboat was more on-top of undocumented server requirements than their own service.

7

OP asked about a specific regulation, the Cyber Resilience Act, which does have a boolean “check box” for “does the provided bill of materials comply with the regulation”. I was specifically asking whether this list of only the front-end libraries satisfies the regulation.

Please refrain from using AI to respond to my inquiries, thank you.

4 Likes
8

I’m interested in the level of compliance behind a web server, specifically XOJO Cloud.

After reading what you wrote, I got the impression that you were interested in server-side compliance. You even mentioned past issues with XOJO Cloud.

In my experience, server compliance is different from the compliance required for a coding tool.

9

From a CRA perspective, it does not matter whether dependencies are client-side or server-side.

What matters is:

The SBOM must include all components that are part of the product, regardless of where they run.

So a list of only front-end libraries would not be sufficient. It need to cover:

•	Server-side components
•	Build-time dependencies
•	Runtime dependencies (including dynamically loaded ones)
•	Bundled third-party libraries (even if indirectly included)

In short: if it is shipped, executed, or required for the product to function, it needs to be in the SBOM.

So the HAR-based frontend analysis is a good start, but for CRA compliance it has to be extended to the full software stack.

@Ricardo_Cruz : Does the list contain client and server side libraries and dependencies? What about the different operating systems? Does the SBOM differ between MacOS, Windows, Linux as server os?

1 Like
10

I’ve listed the frontend dependencies, I’ll grab the server dependencies and let you know.

On the server side, yes, dependencies will likely differ depending on the deployed OS. Frontend libraries are always the same, no matter the OS being deployed to, or the OS the client will use.