Why Chinese Agencies Are Auditing Vue.js and SonarQube: Security Concerns Explained

Two unverified screenshots have been widely circulated, showing that Chinese authorities have instructed domestic party and government agencies, as well as key enterprises, to conduct investigations into the use of the open‑source projects SonarQube and Vue.js, especially on government service platforms. The directive cites reports that foreign hackers are organizing network‑attack detection using these tools.

Vue.js founder Evan You responded quickly, stating that Vue takes security very seriously but has not received any vulnerability reports recently. As an open‑source project released as JavaScript source code, every line is publicly available for security audits. Vue 2 has been in use for over five years worldwide and no genuine security flaw has ever been discovered.

Evan explained that “frontend frameworks cannot be used by hackers for infiltration,” described XSS attack methods, and emphasized that Vue itself has no security issues. The team is puzzled by being included in the audit and invites anyone with details to email [email protected].

Public information shows the most recent report on a SonarQube vulnerability dates back to November 2021. Reports claim the SonarQube platform vulnerability was exploited, leading to massive source‑code leakage.