[#45784] - [5.4] [WiP] Update npm dependencies
- Pending
- Medium
- Build: 5.4-dev
- Draft PR
- # 45784
- Diff
- richard67:5.4-dev-npm-update-2025-07-25
User tests: Successful: Unsuccessful:
Pull Request for Issue #45731 .
Work in Progress (WiP).
I have to complete testing instructions.
Summary of Changes
This pull request (PR) updates all npm dependencies for which currently updates are available and an update is possible (minor or patch update only, or major update without b/c breaks).
It also relaxes the fixed version pin "5.3.3" for bootstrap and updates that dependency to the latest version "5.3.7".
The fixed version constraint was once added with PR #41899 for version "5.3.2" and updated to "5.3.3" with the later PR #44067 , keeping a pin to a fixed version. According to the comments in the former PR, this can be changed back to a caret version constraint "^5.3.7".
Finally, this PR makes changes due to major development dependency updates which are described in detail in section "Major direct development dependency updates" further below.
Major updates to be checked separately
The following major updates of direct dependencies are not done with this PR:
Package Current Latest
@fortawesome/fontawesome-free 6.7.2 7.0.0
accessibility 3.0.17 6.1.0
choices.js 9.1.0 11.1.0
cropperjs 1.6.2 2.0.1
diff 5.2.0 8.0.2
mediaelement 5.1.2 7.0.7
shepherd.js 11.2.0 14.5.1
tinymce 6.8.6 8.0.0
They need to be checked separately because they might not be possible or be b/c breaks or require code changes in the CMS.
Major direct dependency updates
dotenv from 16.4.7 to 17.2.1
See https://github.com/motdotla/dotenv/blob/HEAD/CHANGELOG.md :
NOTICE: 17.0.0 will be released with quiet defaulting to false. Use config({ quiet: true }) to suppress.
This is done with commit b70e02b at the one place where we use dotenv in the core.
Besides that I see now breaking changes in their CHANGELOG.md .
es-module-shims from 1.10.1 to 2.6.1
I did not find any breaking changes.
https://github.com/guybedford/es-module-shims/releases/tag/2.0.0
https://github.com/guybedford/es-module-shims/releases/tag/2.0.1
https://github.com/guybedford/es-module-shims/releases/tag/2.0.2
https://github.com/guybedford/es-module-shims/releases/tag/2.0.3
https://github.com/guybedford/es-module-shims/releases/tag/2.0.4
https://github.com/guybedford/es-module-shims/releases/tag/2.0.5
https://github.com/guybedford/es-module-shims/releases/tag/2.0.6
https://github.com/guybedford/es-module-shims/releases/tag/2.0.7
https://github.com/guybedford/es-module-shims/releases/tag/2.0.8
https://github.com/guybedford/es-module-shims/releases/tag/2.0.9
https://github.com/guybedford/es-module-shims/releases/tag/2.0.10
https://github.com/guybedford/es-module-shims/releases/tag/2.1.0
https://github.com/guybedford/es-module-shims/releases/tag/2.1.1
https://github.com/guybedford/es-module-shims/releases/tag/2.2.0
https://github.com/guybedford/es-module-shims/releases/tag/2.3.0
https://github.com/guybedford/es-module-shims/releases/tag/2.3.1
https://github.com/guybedford/es-module-shims/releases/tag/2.4.0
https://github.com/guybedford/es-module-shims/releases/tag/2.4.1
https://github.com/guybedford/es-module-shims/releases/tag/2.5.0
https://github.com/guybedford/es-module-shims/releases/tag/2.5.1
https://github.com/guybedford/es-module-shims/releases/tag/2.6.0
https://github.com/guybedford/es-module-shims/releases/tag/2.6.1
All changes: guybedford/es-module-shims@1.10.1...2.6.1
qrcode-generator from 1.4.4 to 2.0.2
There seems not to be a b/c break, but it needed an adjustment to the build/build-modules-js/settings.json as the location of the JS has changed.
https://github.com/kazuhikoarase/qrcode-generator/releases/tag/js1.5.0
https://github.com/kazuhikoarase/qrcode-generator/releases/tag/js1.5.1
https://github.com/kazuhikoarase/qrcode-generator/releases/tag/js1.5.2
https://github.com/kazuhikoarase/qrcode-generator/releases/tag/js2.0.0
https://github.com/kazuhikoarase/qrcode-generator/releases/tag/js2.0.1
https://github.com/kazuhikoarase/qrcode-generator/releases/tag/js2.0.2
All changes: kazuhikoarase/qrcode-generator@js1.4.4...js2.0.2
Minor direct dependency updates
@codemirror/commandsfrom 6.8.0 to 6.8.1
https://github.com/codemirror/commands/releases/tag/6.8.1@codemirror/lang-javascriptfrom 6.2.3 to 6.2.4
https://github.com/codemirror/lang-javascript/releases/tag/6.2.4@codemirror/lang-jsonfrom 6.0.1 to 6.0.2
https://github.com/codemirror/lang-json/releases/tag/6.0.2@codemirror/lang-markdownfrom 6.3.2 to 6.3.3
https://github.com/codemirror/lang-markdown/releases/tag/6.3.3@codemirror/lang-phpfrom 6.0.1 to 6.0.2
https://github.com/codemirror/lang-php/releases/tag/6.0.2@codemirror/languagefrom 6.11.0 to 6.11.2
https://github.com/codemirror/language/releases/tag/6.11.1
https://github.com/codemirror/language/releases/tag/6.11.2@codemirror/lintfrom 6.8.4 to 6.8.5
https://github.com/codemirror/lint/releases/tag/6.8.5@codemirror/searchfrom 6.5.10 to 6.5.11
https://github.com/codemirror/search/releases/tag/6.5.11@codemirror/theme-one-darkfrom 6.1.2 to 6.1.3
https://github.com/codemirror/theme-one-dark/releases/tag/6.1.3@codemirror/viewfrom 6.36.4 to 6.38.1
https://github.com/codemirror/view/releases/tag/6.36.5
https://github.com/codemirror/view/releases/tag/6.36.6
https://github.com/codemirror/view/releases/tag/6.36.7
https://github.com/codemirror/view/releases/tag/6.36.8
https://github.com/codemirror/view/releases/tag/6.37.0
https://github.com/codemirror/view/releases/tag/6.37.1
https://github.com/codemirror/view/releases/tag/6.37.2
https://github.com/codemirror/view/releases/tag/6.38.0
https://github.com/codemirror/view/releases/tag/6.38.1
All changes: codemirror/view@6.36.4...6.38.1bootstrapfrom 5.3.3 to 5.3.7
https://github.com/twbs/bootstrap/releases/tag/v5.3.4
https://github.com/twbs/bootstrap/releases/tag/v5.3.5
https://github.com/twbs/bootstrap/releases/tag/v5.3.6
https://github.com/twbs/bootstrap/releases/tag/v5.3.7
All changes: twbs/bootstrap@v5.3.3...v5.3.7hotkeys-jsfrom 3.13.9 to 3.13.15
https://github.com/jaywcjlove/hotkeys-js/releases/tag/v3.13.10
https://github.com/jaywcjlove/hotkeys-js/releases/tag/v3.13.11
https://github.com/jaywcjlove/hotkeys-js/releases/tag/v3.13.12
https://github.com/jaywcjlove/hotkeys-js/releases/tag/v3.13.13
https://github.com/jaywcjlove/hotkeys-js/releases/tag/v3.13.14
https://github.com/jaywcjlove/hotkeys-js/releases/tag/v3.13.15
All changes: jaywcjlove/hotkeys-js@v3.13.9...v3.13.15sa11yfrom 4.1.1 to 4.1.10
https://github.com/ryersondmp/sa11y/releases/tag/4.1.2
https://github.com/ryersondmp/sa11y/releases/tag/4.1.3
https://github.com/ryersondmp/sa11y/releases/tag/4.1.4
https://github.com/ryersondmp/sa11y/releases/tag/4.1.5
https://github.com/ryersondmp/sa11y/releases/tag/4.1.6
https://github.com/ryersondmp/sa11y/releases/tag/4.1.7
https://github.com/ryersondmp/sa11y/releases/tag/4.1.8
https://github.com/ryersondmp/sa11y/releases/tag/4.1.9
https://github.com/ryersondmp/sa11y/releases/tag/4.1.10
All changes: ryersondmp/sa11y@4.1.1...4.1.10tinymcefrom 6.8.5 to 6.8.6
https://github.com/tinymce/tinymce/releases/tag/6.8.6vuefrom 3.5.13 to 3.5.18
Major direct development dependency updates
eslint from 8.57.1 to 9.32.0
With version 9, the configuration file format of eslint has changed.
Due to the update, lots of // eslint-disable-next-line in some 90 js files have become obsolete.
This has bee done by @dgrammatiko with commit b78c75f , then the new configuration files have been moved to the "build" folder with my commit 34964ca .
Thanks a lot @dgrammatiko for your help.
eslint-plugin-vue has been updated from 9.33.0 to 10.3.0 to match the new eslint version.
eslint-plugin-import has been updated from 2.31.0 to 2.32.0
eslint-config-airbnb-base has been removed because there is no version available which supports eslint version 9.
stylelint from 14.16.1 to 16.23.0
With version 15, stylelint decided to focus on the main purpose of a code linter and leave pure code style checks to external tools. See details below the list of rules here https://stylelint.io/migration-guide/to-15/#deprecated-stylistic-rules .
With version 16, these deprecated rules have been removed, see https://stylelint.io/migration-guide/to-16/#removed-deprecated-stylistic-rules .
That causes "Unknown rule" errors when running npm ci or npm run lint:css, and the GitHub action for the CSS style check fails.
This is fixed by adding the @stylistic/stylelint-plugin as recommended in the migration to 15 guide mentioned above, and changing the rules by adding a @stylistic/ prefix. In this way we can keep these rules, and npm run lint:css should work as before.
In addition, it needed to fix stylelint errors in 3 of our scss files which were reported by the updated version due to its improvements. See this commit in my PR: 3c4b4ff
The following direct development dependencies have been updated to match the new stylelint version:
stylelint-config-standardfrom 24.0.0 to 38.0.0stylelint-orderfrom 5.0.0 to 7.0.0stylelint-scsfrom 4.7.0 to 6.12.1
Minor direct development dependency updates
@babel/corefrom 7.26.10 to 7.28.0@babel/preset-envfrom 7.26.9 to 7.28.0@rollup/plugin-commonjsfrom 28.0.3 to 28.0.6@vue/compiler-sfcfrom 3.5.8 to 3.5.18commanderfrom 13.1.0 to 14.0.0core-jsfrom 3.41.0 to 3.44.0cypressfrom 14.2.0 to 14.5.3esbuildfrom 0.25.1 to 0.25.8jasmine-corefrom 5.6.0 to 5.9.0lightningcssfrom 1.29.3 to 1.30.1pgfrom 8.14.0 to 8.16.3rollupfrom 4.35.0 to 4.46.1sass-embeddedfrom 1.85.1 to 1.89.2semverfrom 7.7.1 to 7.7.2
joomla-cypress is only changed from "^1.3.0" to "^1.3.1" in package.json.
In package-lock.json it is already up to date.
Indirect dependencies
The indirect dependencies of the above mentioned direct dependencies have been updated, too, of course.
But I don't think that needs to be reviewed in detail.
Testing Instructions
Experienced Reviewers
Reviewers please use the GitHub review functionality to approve the changes or request changes.
- Review the changes listed above.
- Check that GitHub actions of the CI checks are successful.
- Check that the patched package for this PR has been successfully build with the Drone CI step.
End Users
When having tested, please submit your test result in the issue tracker here https://issues.joomla.org/tracker/joomla-cms/45784 with the blue "Test this" button at the top left corner.
The patched installation and update packages and custom update URL created by Drone for this PR can be found here:
https://artifacts.joomla.org/drone/joomla/joomla-cms/5.4-dev/45784/downloads/86470/
- Make a new installation with the branch or patched package from this PR.
- Switch error reporting to maximum and Debug System to On in global configuration.
- Install Blog Sample Data.
- Do whatever else comes into your mind in backend and frontend.
...
Will be completed soon.
Actual result BEFORE applying this Pull Request
When running npm ci, 6 deprecated dependencies are reported:
richard@vmubu02:~/lamp/public_html/joomla-cms-5.4-dev$ npm ci
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm warn deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm warn deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
> joomla@5.4.0 install
> node build/build.mjs --prepare
...
When running npm outdated you get a giant list too long to be mentioned here.
Will be completed soon.
Expected result AFTER applying this Pull Request
When running npm ci, no deprecated dependencies are reported:
richard@vmubu02:~/lamp/public_html/joomla-cms-5.4-dev$ npm ci
> joomla@5.4.0 install
> node build/build.mjs --prepare
...
When running npm outdated you get:
Package Current Wanted Latest Location Depended by
@fortawesome/fontawesome-free 6.7.2 6.7.2 7.0.0 node_modules/@fortawesome/fontawesome-free joomla-cms
accessibility 3.0.17 3.0.17 6.1.0 node_modules/accessibility joomla-cms
choices.js 9.1.0 9.1.0 11.1.0 node_modules/choices.js joomla-cms
cropperjs 1.6.2 1.6.2 2.0.1 node_modules/cropperjs joomla-cms
diff 5.2.0 5.2.0 8.0.2 node_modules/diff joomla-cms
mediaelement 5.1.2 5.1.2 7.0.7 node_modules/mediaelement joomla-cms
shepherd.js 11.2.0 11.2.0 14.5.1 node_modules/shepherd.js joomla-cms
tinymce 6.8.6 6.8.6 8.0.0 node_modules/tinymce joomla-cms
Will be completed soon.
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | NPM Change Front End Plugins |
@brianteeman TinyMCE 7 would be a b/c break and in general we will not make major updates in 5.4 if there is any risk for b/c breaks. Such things will be for 6.0.
@brianteeman TinyMCE 8 would be a b/c break and in general we will not make major updates in 5.4 if there is any risk for b/c breaks. Such things will be for 6.0.
thats why i said the list should be reviewed
| Labels |
Added:
NPM Resource Changed
PR-5.4-dev
|
||
| Category | NPM Change Front End Plugins | ⇒ | Repository NPM Change Front End Plugins |
@dgrammatiko Could you check the "Stylelint major update from 14 to 16" part in the description of this PR?
Should we do something to bring back the functionality of the removed style checks? Can we implement own stylelint rules for that? Or integrate another 3rd party tool? Or can we live without these checks?
You can see the removed rules in commit 69ab7a1 .
Thanks in advance for checking.
@dgrammatiko P.S.: Another problem is updating eslint stuff. I don't get that working here. It fails with unresolved dependencies or something like that. Maybe you can help also with that?
I’ll have a look later on today
@dgrammatiko For the styllint rules they write in https://stylelint.io/migration-guide/to-15/#deprecated-stylistic-rules :
Alternatively, you can continue to enforce stylistic consistency with Stylelint by using the community plugin @stylistic/stylelint-plugin that has migrated the deprecated rules.
So maybe we can just add that plugin and add back the removed rules, e.g. "@stylistic/color-hex-case": "lower",?
@dgrammatiko Done, I've added the plugin and added back the rules. Will update PR description with that. Stylelint issue solved. What remains is the eslint.
At some point we should move to biome and rolldown (rust based). I’m sure I have some code already but probably not for this pr. I’ll look at the eslint when I’m back home
| Category | NPM Change Front End Plugins Repository | ⇒ | Repository JavaScript NPM Change Front End Plugins |
Current status of this PR regarding outdated dependencies:
Package Current Wanted Latest Location
@fortawesome/fontawesome-free 6.7.2 6.7.2 7.0.0 node_modules/@fortawesome/fontawesome-free
accessibility 3.0.17 3.0.17 6.1.0 node_modules/accessibility
choices.js 9.1.0 9.1.0 11.1.0 node_modules/choices.js
cropperjs 1.6.2 1.6.2 2.0.1 node_modules/cropperjs
diff 5.2.0 5.2.0 8.0.2 node_modules/diff
es-module-shims 1.10.1 1.10.1 2.6.1 node_modules/es-module-shims
eslint 8.57.1 8.57.1 9.32.0 node_modules/eslint
eslint-plugin-vue 9.33.0 9.33.0 10.3.0 node_modules/eslint-plugin-vue
mediaelement 5.1.2 5.1.2 7.0.7 node_modules/mediaelement
shepherd.js 11.2.0 11.2.0 14.5.1 node_modules/shepherd.js
tinymce 6.8.6 6.8.6 8.0.0 node_modules/tinymce
accessibility, shepherd.js and tinymce definitely can not be updated in this PR
accessibility, shepherd.js and tinymce definitely can not be updated in this PR
@brianteeman Yes, I think that's right. Fontawesome 7 could be ok as there are not really hard b/c breaks, but that needs to be checked more in detail.
Fontawesome has renamed some icons https://docs.fontawesome.com/upgrade/whats-changed#icons-renamed-in-v7
Fontawesome has renamed some icons https://docs.fontawesome.com/upgrade/whats-changed#icons-renamed-in-v7
@brianteeman Yes, but they have added aliases:
We’ve cleaned up a number of visually similar or redundant icons and remapped them as aliases.
doubt it would have any impact on core BUT it 5 to 6 is a breaking change so it would have to wait for j6
AFAIK mediaelement is NOT used anywhere in the core…
So the main thing is the eslint. It would really be cool to get rid of these warnings shown at the beginning of the output of an npm ci run:
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm warn deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm warn deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
So for eslint, if I remember correctly we use the Airbnb style guide which is not yet available for the next major version. I guess we have to pick another popular (and compatible) plugin
For the moment remove the airbnb from the eslint config and upgrade to v9, I’ll do the rest
So for eslint, if I remember correctly we use the Airbnb style guide which is not yet available for the next major version. I guess we have to pick another popular (and compatible) plugin
@dgrammatiko Correct, the Airbnb is the thing which breaks. Can you help with finding an alternative?
For the moment remove the airbnb from the eslint config and upgrade to v9, I’ll do the rest
@dgrammatiko Ok, will do that.
FYI ai gives some hints
Here's a breakdown of some alternatives:
eslint-config-standard:
This is a popular, opinionated style guide that focuses on a minimal set of rules, particularly favoring a semicolon-free style.
eslint-config-google:
Another widely used style guide, this one emphasizes Google's coding conventions.
eslint-config-next:
If you're working with Next.js, this configuration provides specific rules tailored to that framework.
@dgrammatiko eslint-config-standard seems not to work with eslint 9.
For the moment remove the airbnb from the eslint config and upgrade to v9
@dgrammatiko I've tried it here locally. It would work, but then npm run lint:js fails due to the configuration file format change: https://eslint.org/blog/2023/10/flat-config-rollout-plans/
@dgrammatiko No idea which base branch you have chosen, but it seems it was not the one from this PR.
Update: Base branch would be ok, but the PR has lots of unwanted empty lines with spaces, see my comment there.
| Category | NPM Change Front End Plugins Repository JavaScript | ⇒ | Repository JavaScript NPM Change |
Current status of this PR regarding outdated direct npm dependencies:
Package Current Wanted Latest Location
@fortawesome/fontawesome-free 6.7.2 6.7.2 7.0.0 node_modules/@fortawesome/fontawesome-free
accessibility 3.0.17 3.0.17 6.1.0 node_modules/accessibility
choices.js 9.1.0 9.1.0 11.1.0 node_modules/choices.js
cropperjs 1.6.2 1.6.2 2.0.1 node_modules/cropperjs
diff 5.2.0 5.2.0 8.0.2 node_modules/diff
es-module-shims 1.10.1 1.10.1 2.6.1 node_modules/es-module-shims
mediaelement 5.1.2 5.1.2 7.0.7 node_modules/mediaelement
shepherd.js 11.2.0 11.2.0 14.5.1 node_modules/shepherd.js
tinymce 6.8.6 6.8.6 8.0.0 node_modules/tinymce
Accessibility, shepherd.js and tinymce definitely can not be updated to the latest version in this PR.
Maybe choices.js, cropperjs, diff and es-module-shims should be checked.
Fontawesome will be discussed with maintainers.
Croperjs is fine as it’s used as a module ie using moduleimports
Croperjs is fine as it’s used as a module ie using moduleimports
@dgrammatiko What means "is fine"? Fine to keep as it is? Or fine to update?
@dgrammatiko P.S.: Do the changes listed here need some changes in the CMS, or could they cause problems for 3rd party extensions? https://fengyuanchen.github.io/cropperjs/migration.html .
Keep it as is here and let’s investigate in another pr
Keep it as is here and let’s investigate in another pr
@dgrammatiko Ok. It seems they have removed their CSS file from the distro, so we can't provide a style asset for that anymore. Of course we can remove it from build\build-modules-js\settings.json, but it might be a b/c break if we don't provide the style assset anymore.
I will add some links to information in the description and will complete the testing instructions in the next days, then the PR will be ready.
the pr is ok but the following outdated packages should be reviewed to see if they can be updated