Inquiry on Support and Commitment for GoXam under EU Cyber Resilience Act (CRA)

yug · November 11, 2025, 3:48pm

Hi Northwoods Team,

We are currently reviewing vendor support and compliance plans as we move into the EU Cyber Resilience Act (CRA) era. As part of our product suite, we are using GoXam, and we would like to understand your support model going forward.

Could you please clarify the following:

Will Northwoods continue to provide updates, security patches, and maintenance for GoXam under the CRA requirements?
Do you have any timelines, release plans, or official statements regarding CRA compliance?
Is there any documentation or assurance you can share regarding long-term support for GoXam?

This information will help us plan our compliance and product roadmap activities effectively.

We appreciate your support and look forward to your response.

Thank you,
Yugandhar

walter · November 11, 2025, 3:57pm

Yes, we will continue to provide updates, security patches, and maintenance for the foreseeable future. However, we have stopped developing new features for GoXam, since our focus is now on improving GoDiagram.

.NET 10 is being released today, so we will soon produce another release including .NET 10 targets, after we’ve had time to evaluate and test it.

yug · November 11, 2025, 5:14pm

Hi Team,

Thank you for the clarification and the update regarding the GoXam and .NET 10 release plans - that’s helpful.

Since we are preparing for EU Cyber Resilience Act (CRA) readiness, could you please also confirm/clarify the following points for GoXam:

Is there a documented support lifecycle (e.g., how long updates and security patches will be provided)?
Do you maintain a Software Bill of Materials (SBOM) for GoXam that can be shared with customers?
In case of a discovered vulnerability, do you have a defined process and SLA for issuing security patches or advisories?
Is there a designated security contact (PSIRT or equivalent) for responsible disclosure?

This will help us complete our internal CRA compliance assessment.

Thanks again for your support,
Yugandhar

simon · November 12, 2025, 2:37pm

Hello, I am the security contact for Northwoods Software. I will answer more fully via email shortly.

simon · November 12, 2025, 3:14pm

I am removing your-company specific information and replying here also in case others see this topic, though my email has more information for you.

We do not document this externally, though we continue to sell support and updates for GoXam. In the past we warn customers on renewal time when we may be sunsetting a project within 1-2 years (for example, JGo our Java library). We offer to sell a source code license for the companies that may need it. We do not intend to sunset GoXam in the foreseeable future.

However, GoXam is no longer receiving regular updates besides patches, and has been largely superseded in new projects by GoDiagram 10, which we recommend using instead. GoDiagram 10 is actively developed for WinForms and Avalonia, and can be used within WPF applications. GoDiagram 10 also shares a significant portion of its API with our web library, GoJS.

GoXam and GoJS have no dependencies - everything is built from scratch for these libraries. GoXam does require Microsoft WPF in order to work, of course, just as GoJS only depends on what the browser provides.

GoDiagram requires either WinForms or Avalonia and SkiaSharp for drawing, but nothing else.

We do, though we have never had a security vulnerability in our company’s history. Since we are only selling components that confine themselves to the display layer of an application, and not services or non-display-based integrations, a vulnerability would be unlikely. Should we ever discover a vulnerability, we would notify all affected customers immediately.

I (Simon) am the designated security contact for Northwoods Software.