[#44622] - [4.4] Update node_modules cross-spawn and nanoid
- Fixed in Code Base
- 18 Dec 2024
- Medium
- Build: 4.4-dev
- # 44622
- Diff
- richard67:4.4-dev-npm-update-2024-12-14
User tests: Successful: Unsuccessful:
Pull Request for Issue # .
Summary of Changes
This pull request (PR) updates the 2 NPM dependencies "cross-spawn" and "nanoid".
- "cross-spawn" is updated from version 7.0.3 to version 7.0.6.
See https://github.com/moxystudio/node-cross-spawn/blob/master/CHANGELOG.md for the changes. - "nanoid" is updated from version 3.3.6 to version 3.3.8.
See https://github.com/ai/nanoid/blob/main/CHANGELOG.md for the changes.
This fixes 2 security vulnerabilities reported by npm audit, 1 high severity for "cross-spawn" and 1 low severity for "nanoid".
As we do not ship the node_modules with our installation or update packages, these vulnerabilities do not affect Joomla end user but only development environments.
This PR can be merged at any time just before the next 4.4.10 security release.
Testing Instructions
npm audit
Actual result BEFORE applying this Pull Request
# npm audit report
cross-spawn 7.0.0 - 7.0.4
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix`
node_modules/cross-spawn
nanoid <3.3.8
Infinite loop in nanoid - https://github.com/advisories/GHSA-mwcw-c2x4-8c55
fix available via `npm audit fix`
node_modules/nanoid
tinymce <=6.8.5
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes - https://github.com/advisories/GHSA-438c-3975-5x3f
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option - https://github.com/advisories/GHSA-9hcv-j9pv-qmph
TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements - https://github.com/advisories/GHSA-w9jx-4g6g-rp7x
fix available via `npm audit fix --force`
Will install tinymce@7.6.0, which is a breaking change
node_modules/tinymce
3 vulnerabilities (1 low, 1 moderate, 1 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Expected result AFTER applying this Pull Request
# npm audit report
tinymce <=6.8.5
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes - https://github.com/advisories/GHSA-438c-3975-5x3f
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option - https://github.com/advisories/GHSA-9hcv-j9pv-qmph
TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements - https://github.com/advisories/GHSA-w9jx-4g6g-rp7x
fix available via `npm audit fix --force`
Will install tinymce@7.6.0, which is a breaking change
node_modules/tinymce
1 moderate severity vulnerability
To address all issues (including breaking changes), run:
npm audit fix --force
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | NPM Change |
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2024-12-18 13:56:28 |
| Closed_By | ⇒ | laoneo | |
| Labels |
Added:
NPM Resource Changed
PR-4.4-dev
|
||
Cool, thanks!
I have tested this item ✅ successfully on 6fe1dc1
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/44622.