Custom Component Vulnerabilities

courtneym · January 27, 2026, 11:06pm

My goal: I want to build a custom JS react component (embedding atlas) and tried doing this using the custom-component-collections-template
Issue: I took the steps listed here Build custom React components | Retool Docs and when I ran npm install it showed there were ~10 vulnerabilities with the existing packages
Steps I've taken to troubleshoot:
1. Ran the npm audit to see what changes I could make without breaking the repo
2. checked the open issues with the repo: GitHub · Where software is built

Is there anything in the backlog to fix these vulnerabilities or has there been a fix pushed recently that I could update to?

courtneym · January 27, 2026, 11:22pm

There are a couple moderate severity vulnerabilities that have no fixes via package updates

esbuild - dev server vulnerability
undici - HTTP client vulnerabilities

AJVancattenburch · January 28, 2026, 8:50pm

Hey @courtneym!

Did you attempt to run npm i (aka npm install) in the parent folder of your repository? If you weren't previously aware, any npm commands should be ran one folder level down from your parent folder at repo-name/new-custom-component.

Also, did you by chance update dependencies for retool custom component support by entering the following command at repo-name/new-custom-component?

npm update @tryretool/custom-component-support

courtneym · January 28, 2026, 10:02pm

Hi! @AJVancattenburch I ran both of those and am still running into the vulnerability alerts. When I run the npm audit to see what changes I could make it says there are no fixes

courtneym · January 28, 2026, 10:09pm

I ran git clone GitHub - tryretool/custom-component-collection-template new-custom-component (the first step here) and then cd into the new-custom-component and ran npm install. On initial run I’m seeing 10 vulnerabilities (4 low, 6 moderate)

AJVancattenburch · January 29, 2026, 3:57pm

Have you tried running the command npm audit fix? If you weren't previously aware, that command will fix any 'safe' dependencies that can be resolved.

Also, are you sure those vulnerabilities are anything to worry about? Typically, a few low/moderate vulnerabilities are expected noise when installing or updating dependencies in the JS ecosystem.

General practice -- run npm audit fix when you still have some dependency vulnerability concerns. And if you only have a few low/moderate vulnerabilities left after running that command that aren't going to create any breaking changes, stop there and you should be fine to continue.

Jack_T · February 2, 2026, 5:32pm

Hi @courtneym,

Our security team is working on fixing this for the Cusom Component library on our end.

As @AJVancattenburch mentioned, it is usually hard to avoid at least some degree of noise related to npm packages but our team is working to minimize this further.

Will update this thread with any news from the engineering team updating the library.

Topic		Replies	Views
Retool react components version 💬 App Building react	4	72	January 14, 2026
Cannot re-enter 'dev' mode through retool-ccl 💬 App Building custom-component , environments	5	69	January 15, 2026
Can't install tryretool/custom-component-support with NPM 💬 App Building custom-component	4	305	October 14, 2024
Custom Components Not Displaying in Retool UI – Previously Working Setup 💬 App Building bug , component	4	197	June 9, 2025
Log in to Retool via API: 'retool-ccl@*' is not in this registry 💬 App Building api	13	414	January 20, 2025

Custom Component Vulnerabilities

Related topics