Feeling Lucky
[#45984] - [5.3] Security updates for composer and npm dependencies for the upcoming 5.3.4 release
- Pending
- Medium
- Build: 5.3-dev
- # 45984
- Diff
- richard67:5.3-dev-dependency-update-2025-08-26
User tests: Successful: Unsuccessful:
Pull Request for Issue # .
Summary of Changes
This pull request (PR) updates composer and npm dependencies to fix security issues reported by composer audit and npm audit.
- Composer dependency "enshrined/svg-sanitize" is updated from 0.21.0 to 0.22.0, which is just one version step.
Details see https://github.com/darylldoyle/svg-sanitizer/releases/tag/0.22.0 - Npm dependency "brace-expansion" is updated from 1.1.11 to 1.1.12, and the indirect dependency of the "glob" dependency to the same is updated from 2.0.1 to 2.0.2.
Details see https://github.com/juliangruber/brace-expansion/releases/tag/v1.1.12
and https://github.com/juliangruber/brace-expansion/releases/tag/v2.0.2 - Npm dependency "form_data" is updated from 4.0.2 to 4.0.4
Details see https://github.com/form-data/form-data/releases/tag/v4.0.3
and https://github.com/form-data/form-data/releases/tag/v4.0.4 - Npm dependency "tmp" is updated from 0.2.3 to 0.2.5.
Details see https://github.com/raszi/node-tmp/releases/tag/v0.2.4
and https://github.com/raszi/node-tmp/releases/tag/v0.2.5
Testing Instructions
It needs a development environment (git clone + composer + npm) for testing.
For the actual result use the 5.3-dev branch of this repository (or of your clone if that is up to date with the upstream).
For the expected result you can fetch this PR into a local branch with a name of your choice, here as example "":
git fetch upstream pull/45984/head:test-pr-45984
git checkout test-pr-45984
- Clean up the branch from any previous tests:
git clean -d -x -f
git checkout .
- Run
composer install. - Run
npm ci. - Run
composer audit. - Run
npm audit.
Actual result BEFORE applying this Pull Request
composer audit:
Found 2 security vulnerability advisories affecting 2 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package | enshrined/svg-sanitize |
| Severity | medium |
| CVE | CVE-2025-55166 |
| Title | svg-sanitizer Bypasses Attribute Sanitization |
| URL | https://github.com/advisories/GHSA-22wq-q86m-83fh |
| Affected versions | <0.22.0 |
| Reported at | 2025-08-12T20:20:58+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
npm audit:
# npm audit report
brace-expansion 1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/brace-expansion
node_modules/glob/node_modules/brace-expansion
form-data 4.0.0 - 4.0.3
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix`
node_modules/form-data
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.0.2, which is a breaking change
node_modules/tinymce
tmp <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
fix available via `npm audit fix`
node_modules/tmp
4 vulnerabilities (2 low, 1 moderate, 1 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Expected result AFTER applying this Pull Request
composer audit:
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
npm audit:
# npm audit report
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.0.2, which is a breaking change
node_modules/tinymce
1 moderate severity vulnerability
To address all issues (including breaking changes), run:
npm audit fix --force
Additional information
In the 5.4-dev and the 6.0-dev branches, only the composer dependency "enshrined/svg-sanitize" and the npm dependency "tmp" need to be updated like here, all other dependencies handled in this PR here are already up to date in the mentioned branches. This will be handled with the upmerges by the release managers.
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | External Library Composer Change NPM Change |