Hi All,

Our Infosec team has raised multiple VA observations on the latest Qlik Sense version (November 2025 Patch 2). These findings were identified using the Qualys tool and are primarily related to outdated NodeJS libraries bundled with Qlik Sense (for example: body-parser, express, prismjs, ws, grunt, etc.).

Since this is the latest available patch of Qlik Sense, it appears that remediation for these issues may not be immediately available as part of Qlik’s product roadmap. This raises a question on whether it is safe or recommended to manually update the affected NodeJS libraries within the Qlik installation.

Our main concern is that manually modifying libraries inside Qlik’s internal node_modules directories could potentially impact or break Qlik Sense internal services.

As one specific example:

• Library: grunt-karma

• Affected Versions: All versions greater than 0.10.0, including 4.0.0 and 4.0.1

The official repository (https://github.com/karma-runner/grunt-karma) indicates that the last release was in 2021, suggesting that the package is no longer actively maintained by the community, while it is still bundled with Qlik Sense.

Given this context, could you please advise:

• Whether it is supported or recommended to manually update such NodeJS libraries within Qlik Sense, and

• If not, what the suggested approach is for addressing these VA findings without impacting product stability.

Please let us know your guidance on this.

Thank you in advance for your help.

Regards,
Charvick