Joomla! Issue Tracker | Joomla! CMS #46100 - [6.0] Update Composer and NPM dependencies for 6.0.0-rc1

Composer Dependency Changed Documentation Required NPM Resource Changed PR-6.0-dev

Fixed in Code Base
20 Sep 2025
Medium
Build: 6.0-dev
# 46100
Diff
richard67:6.0-dev-dependency-updates-2025-09-10

Pending

User tests: Successful: Unsuccessful:

richard67
14 Sep 2025

Pull Request for Issue # .

Summary of Changes

This pull request (PR) updates Composer and NPM dependencies for the upcoming 5.4.0-rc1 release.

It contains also the dependency updates from PR #46099 for 5.4-dev if relevant for 6.0-dev, too, so when both PRs, that one and this one here, have been merged, then at the next upmerge from 5.4-dev to 6.0-dev the conflicts in the files modified by these PRs can be solved by keeping the complete file from the 6.0-dev branch.

Major Updates

There are no major updates made for direct non-development composer dependencies.

For development dependencies (composer and NPM) some major updates are made. They work for the CMS core and produce b/c results, and we do not ship them with our packages.

For the following direct non-development NPM dependencies major updates are made:

es-module-shims from 1.10.1 to 2.6.2
These polyfills were introduced into Joomla 5 with PR #40714 so that PR works also for older browser which do not natively support import maps.
The releases on GitHub do not show any breaking changes, only new features and bug fixes.
mediaelement from 5.1.2 to 7.0.7
This dependency is not used by the core, but it might be used by extension developers.
There should be a note in the 5.5 to 6.0 migration documentation with reference to the migration documentation
https://github.com/mediaelement/mediaelement/blob/master/MIGRATION.md#migrating-from-5x-to-6x-version
https://github.com/mediaelement/mediaelement/blob/master/MIGRATION.md#migrating-from-6x-to-7x-version
qrcode-generator from 1.5.2 to 2.0.4
Seems to work without issues. MFA with OTP is still working with qrcodes.

Other Notable Updates

One notable change is the NPM dependency update of bootstrap from 5.3.7 to 5.3.8.

It adds the following to our template.css files:

[type="search"]::-webkit-search-cancel-button {
  cursor: pointer;
  filter: grayscale();
}

In addition it adds a flex-shrink: 0; property to the .spinner-grow, .spinner-border { sections.

See twbs/bootstrap#41639 and twbs/bootstrap#41654 for details.

Another notable changes comes with the update of the composer dependency "doctrine/inflector" from 2.0.10 to 2.1.0.

They have moved their sources from subfolder inflector/lib/Doctrine/Inflector to subfolder src with version 2.1.0.

Therefore this PR here adds the files and folders from the old location to the lists of files and folders to be deleted on update in the script.php file.

Updated dependencies

Composer Dependencies (non-dev)

algo26-matthias/idna-convert 4.0.4 -> 4.2.1
https://github.com/algo26-matthias/idna-convert/releases/tag/v4.1.0
https://github.com/algo26-matthias/idna-convert/releases/tag/v4.1.1
https://github.com/algo26-matthias/idna-convert/releases/tag/v4.1.2
https://github.com/algo26-matthias/idna-convert/releases/tag/v4.2.0
https://github.com/algo26-matthias/idna-convert/releases/tag/v4.2.1
algo26-matthias/idna-convert@v4.0.4...v4.2.1
doctrine/inflector 2.0.10 -> 2.1.0
https://github.com/doctrine/inflector/releases/tag/2.0.11
https://github.com/doctrine/inflector/releases/tag/2.1.0
doctrine/inflector@2.0.10...2.1.0
composer/ca-bundle 1.5.7 -> 1.5.8
https://github.com/composer/ca-bundle/releases/tag/1.5.8
composer/ca-bundle@1.5.7...1.5.8
symfony/polyfill-mbstring 1.32.0 -> 1.33.0
No changes, only new tag.
symfony/polyfill-mbstring@v1.32.0...v1.33.0
symfony/web-link 6.4.22 -> 6.4.24
Was only not up to date in composer.json.
In composer.lock it was already up to date.
symfony/yaml 6.4.23 -> 6.4.25
https://github.com/symfony/yaml/releases/tag/v6.4.24
https://github.com/symfony/yaml/releases/tag/v6.4.25
symfony/yaml@v6.4.23...v6.4.25

NPM Dependencies (non-dev)

Composer Dependencies (dev)

NPM Dependencies (dev)

Testing Instructions

Test 1: Check package build - Variant 1

This test shall verify that building the packages (which includes composer install and npm ci) still works and the installation package shows only the expected differences compared to a package created without this PR.

It requires to have a development environment (git clone, composer, npm) with runs either on a unixoid OS (Linux, Mac), or if on Windows it needs WSL2 and a Linux filesystem for the git clone.

If you don't have all that or are not familiar with development and package building, skip this test variant 1 and go to the next section for variant 2.

The description below assumes that you have a git clone of your fork with origin being the remote for your fork, and upstream being the remote to this repository here, as it is with a standard installation of GitHub desktop or most other Git clients.

Checkout your 6.0-dev branch and make sure that your branch is clean and up to date with the upstream 6.0-dev branch:

git clean -d -x -f
git checkout .
git checkout 6.0-dev
git remote update
git reset --hard upstream/6.0-dev

Build packages from the current branch (i.e. remote=HEAD) and redirect the output into a log file:

php ./build/build.php --remote=HEAD 2>&1 | tee ./tmp/build.log

Check that the created packages in the build/tmp/packages folder are complete and have plausible sizes:

ls -al ./build/tmp/packages/

Save the full installation zip package build/tmp/packages/Joomla_6.0.0-beta4-dev-Development-Full_Package.zip somewhere outside your git clone, e.g. in a folder test-pr-46100-before your home directory:

md ~/test-pr-46100-before
cp ./build/tmp/packages/Joomla_6.0.0-beta4-dev-Development-Full_Package.zip ~/test-pr-46100-before/

Copy the log file from step 2 to the same place:

cp ./tmp/build.log ~/test-pr-46100-before/

Clean up the branch

git clean -d -x -f
git checkout .

Fetch this pull request into a new local branch and check out that branch:

git fetch upstream pull/46100/head:test-pr-46100
git checkout test-pr-46100

Same as steps 2 to 5, but with a different folder outside of the git clone to save the results:

php ./build/build.php --remote=HEAD 2>&1 | tee ./tmp/build.log
ls -al ./build/tmp/packages/
md ~/test-pr-46100-after
cp ./build/tmp/packages/Joomla_6.0.0-beta4-dev-Development-Full_Package.zip ~/test-pr-46100-after/
cp ./tmp/build.log ~/test-pr-46100-after/

Unpack the full installation zip packages (one without this PR and one with this PR) into 2 separate folders.
Compare the content of the packages with a good comparison tool, e.g. Beyond Compare, TotalCommander, Meld, ...
Result: See section "Expected result AFTER applying this Pull Request" below.
Compare the 2 logs (one without and one with this PR) from the previous steps.
Result: See section "Expected result AFTER applying this Pull Request" below.

Test 1: Check package build - Variant 2

If you have executed the test in the previous section "Test 1: Check package build - Variant 1", you can skip the test here and directly continue with the next section "Test 2: Check if Joomla still works".

Download the latest 6.0 nightly build full installation zip package from here:
https://developer.joomla.org/nightlies/Joomla_6.0.0-beta4-dev-Development-Full_Package.zip
Download the full installation zip package created by Drone for this PR from here:
https://artifacts.joomla.org/drone/joomla/joomla-cms/6.0-dev/46100/downloads/88106/Joomla_6.0.0-beta4-dev+pr.46100-Development-Full_Package.zip
Unpack the packages downloaded in the previous 2 steps into 2 separate folders.
Compare the content of the packages with a good comparison tool, e.g. Beyond Compare, TotalCommander, Meld, ...
Result: See section "Expected result AFTER applying this Pull Request" below.
Download the log of the "Packages" step of Drone CI for the last commit in the 6.0-dev branch of the CMS repo.
You can find it here: https://ci.joomla.org/joomla/joomla-cms/88080/1/2
Select the "Packager" step at the left side, then use the download button at the top right corner of the console lo area.
Do the same for the log of the "Packages" step of Drone CI for this PR.
You can find it here: https://ci.joomla.org/joomla/joomla-cms/88106/1/2
Select the "Packager" step at the left side, then use the download button at the top right corner of the console lo area.
Compare the 2 logs downloaded in the 2 previous steps.
Result: See section "Expected result AFTER applying this Pull Request" below.

Test 2: Check if Joomla still works

Make a new installation with the full installation zip package for this PR, using the package from the previous test 1.
Check that everything looks and works as usual.
Check that qrcodes are still working for MFA with OTP, i.e. add an authenticator and scan the qrcode with a modible device to add it to your authenticator app.
Result: See section "Expected result AFTER applying this Pull Request" below.

Actual result BEFORE applying this Pull Request

Not applicable.

Expected result AFTER applying this Pull Request

When comparing the 2 installation zip packages, only the following differences can be found:

Updated dependencies in the libraries/vendor folder or subfolders
Notable differences mentioned in section "Summary of Changes" for the "bootstrap" update
Notable differences mentioned in section "Summary of Changes" for the "doctrine/inflector" update

Besides that, only the usual changes between 2 consecutive builds can be found, i.e. different ordering of assets in joomla.assets.json files and versions in css or js files.

When comparing the log files you can see the different versions in the composer install step.

The npm ci step may differ much due to the random order of processing dependencies and compiling assets due to the asynchronous execution of the dependency installation and the compilation steps.

But there are no new warnings shown at the beginning of that step, and at the end the summary is the same, too.

The installation made with the installation package for this PR looks and works as well as before.

Qrcodes in MFA with OTP are still working.

Link to documentations

Please select:

Documentation link for docs.joomla.org:
No documentation changes for docs.joomla.org needed
Pull Request link for manual.joomla.org: To be done.
No documentation changes for manual.joomla.org needed

704b789 13 Sep 2025

Composer update 2025-09-10

6fbc807 13 Sep 2025

NPM update 2025-09-10

d71bf57 13 Sep 2025

Composer update 2025-09-10

23387ff 13 Sep 2025

NPM update 2025-09-10

f06327e 13 Sep 2025

Composer update 2025-09-13

497533b 13 Sep 2025

Update phpstan-baseline.neon

e8d11a1 13 Sep 2025

NPM update 2025-09-13

eadd197 13 Sep 2025

Merge branch '6.0-dev-composer-update-2025-09-10' into 6.0-dev-dependency-updates-2025-09-10

3dd5ecf 13 Sep 2025

Merge branch '6.0-dev-npm-update-2025-09-10' into 6.0-dev-dependency-updates-2025-09-10

3276b57 14 Sep 2025

Composer update phpunit to 9.6.27

f307eab 14 Sep 2025

Merge branch '6.0-dev-composer-update-2025-09-10' into 6.0-dev-dependency-updates-2025-09-10

10bf469 14 Sep 2025

Update symfony/web-link version in composer.json

a93c52f 14 Sep 2025

Merge branch '6.0-dev-composer-update-2025-09-10' into 6.0-dev-dependency-updates-2025-09-10

richard67 - open - 14 Sep 2025

richard67 - change - 14 Sep 2025

Status

New

⇒

Pending

joomla-cms-bot - change - 14 Sep 2025

Category

⇒

External Library Composer Change NPM Change Front End Plugins

richard67 - change - 14 Sep 2025

The description was changed

richard67 - edited - 14 Sep 2025

1bcab7a 14 Sep 2025

Update deleted files and folders in script.php

7eeac0f 14 Sep 2025

Merge branch '6.0-dev-composer-update-2025-09-10' into 6.0-dev-dependency-updates-2025-09-10

richard67 - change - 14 Sep 2025

Labels

Added: Composer Dependency Changed NPM Resource Changed PR-6.0-dev

joomla-cms-bot - change - 14 Sep 2025

Category

External Library Composer Change NPM Change Front End Plugins

⇒

Administration com_admin External Library Composer Change NPM Change Front End Plugins

richard67 - change - 14 Sep 2025

The description was changed

richard67 - edited - 14 Sep 2025

richard67 - change - 14 Sep 2025

The description was changed

richard67 - edited - 14 Sep 2025

a4abdb9 14 Sep 2025

Revert NPM totp-generator to 1.0.0

richard67 - change - 14 Sep 2025

The description was changed

richard67 - edited - 14 Sep 2025

richard67 - change - 14 Sep 2025

The description was changed

richard67 - edited - 14 Sep 2025

richard67 - change - 14 Sep 2025

The description was changed

richard67 - edited - 14 Sep 2025

383d540 16 Sep 2025

Merge branch '6.0-dev' into 6.0-dev-dependency-updates-2025-09-10

f86b276 16 Sep 2025

Composer update phpstan to 2.1.26

richard67 - change - 16 Sep 2025

The description was changed

richard67 - edited - 16 Sep 2025

9debdda 16 Sep 2025

NPM updates 2025-09-16

richard67 - change - 16 Sep 2025

The description was changed

richard67 - edited - 16 Sep 2025

a29f698 16 Sep 2025

NPM major update totp-generator to 2.0.0

joomla-cms-bot - change - 16 Sep 2025

Category

External Library Composer Change NPM Change Front End Plugins Administration com_admin

⇒

Administration com_admin External Library Composer Change NPM Change Front End Plugins JavaScript Unit Tests

e52d90d 16 Sep 2025

Fix system tests for totp-generator update

richard67 - change - 16 Sep 2025

Labels

Added: Unit/System Tests

e2195f8 16 Sep 2025

Revert "Fix system tests for totp-generator update"

8d644e0 16 Sep 2025

Revert "NPM major update totp-generator to 2.0.0"

joomla-cms-bot - change - 16 Sep 2025

Category

External Library Composer Change NPM Change Front End Plugins Administration com_admin JavaScript Unit Tests

⇒

Administration com_admin External Library Composer Change NPM Change Front End Plugins

richard67 - comment - 16 Sep 2025

@dgrammatiko Could you help me here with some major updates?

The first one it totp-generator (NPM dev dependency).

I have tried to update it from 1.0.0 to 1.1.0 in my other PR for 5.4-dev, but that caused the system tests for MFA to fail due to an issue with a missing indirect dependency, see bellstrand/totp-generator#229 . They say they have fixed it with 2.0.0. Obviously they don't care that it's broken in their 1.1.0 version.

But 2.0.0 claims to have breaking changes, see https://github.com/bellstrand/totp-generator/releases/tag/v2.0.0 .

So I've reverted and pinned to 1.0.0 in my 5.4-dev PR.

For this 6.0-dev PR here I have tried to update to 2.0.0 and fix the places where we use it (system tests), see commit a29f698 .

The first try failed because using await outside an asynchronous function, so I've tried to fix it like this: e52d90d

But that failed again with missing dependency.

Do you have an idea how to make it work with 2.0.0?

And if you have a fix: Do you think we can also update to 2.0.0 for CMS 5.4? As far as I can see we use it only in system tests and don't ship it with our packages, so it would not be a b/c break.

richard67 - comment - 16 Sep 2025

@Hackwar @laoneo Do you think we can update cypress from 14.5.4 to 15.2.0 in J 6.0? Or even in 5.4? As far as I see it is only a dev dependency so we don't ship it. Or are there some breaking changes which would require some work on the CMS so we should only do it in 6.0, or not do it at all?

laoneo - comment - 16 Sep 2025

We often did major updates of cypress in minors. When the tests are running through you can even do it in 5.4.

bc658da 17 Sep 2025

Merge branch '6.0-dev' into 6.0-dev-dependency-updates-2025-09-10

richard67 - change - 17 Sep 2025

Labels

Removed: Unit/System Tests

richard67 - comment - 17 Sep 2025

We often did major updates of cypress in minors. When the tests are running through you can even do it in 5.4.

@laoneo Hmm, reading the "Breaking changes:" section in their changelog and their migration guide I am not sure. Could you check that?

00b4bb4 17 Sep 2025

Merge branch '6.0-dev' into 6.0-dev-dependency-updates-2025-09-10

1553d5c 17 Sep 2025

NPM update tinymce to 8.1.0

richard67 - change - 17 Sep 2025

The description was changed

richard67 - edited - 17 Sep 2025

7c2ab1c 17 Sep 2025

NPM major update cypress to 15.2.0

richard67 - comment - 17 Sep 2025

@laoneo Meanwhile I've updated cypress to 15.2.0 here in this PR. System tests are working.

richard67 - change - 17 Sep 2025

The description was changed

richard67 - edited - 17 Sep 2025

laoneo - comment - 17 Sep 2025

Don't think so we need any of the features which have changed in 15. Good job by the way.

f58db3e 17 Sep 2025

Composer update phpstan to 2.1.27

richard67 - change - 17 Sep 2025

The description was changed

richard67 - edited - 17 Sep 2025

e9c572a 18 Sep 2025

NPM update tinymce to 8.1.1

9d2f841 18 Sep 2025

NPM update esbuild to 0.25.10

richard67 - change - 18 Sep 2025

The description was changed

richard67 - edited - 18 Sep 2025

joomla-cms-bot - change - 18 Sep 2025

Category

External Library Composer Change NPM Change Front End Plugins Administration com_admin

⇒

Administration com_admin Repository External Library Composer Change NPM Change Front End Plugins

richard67 - change - 18 Sep 2025

The description was changed

richard67 - edited - 18 Sep 2025

richard67 - change - 18 Sep 2025

The description was changed

richard67 - edited - 18 Sep 2025

richard67 - comment - 18 Sep 2025

@Fedik As you have once added it with your PR #40714 , and @dgrammatiko as you were involved: Do you think we can safely update the NPM dependency "es-module-shims" from 1.10.1 to 2.6.2?

Checking their releases on https://github.com/guybedford/es-module-shims/releases I do not see any breaking changes, but maybe I miss something?

And are there changes which we should document somewhere for developers?

Unfortunately they don't have a migration documentation on https://github.com/guybedford/es-module-shims .

richard67 - change - 18 Sep 2025

The description was changed

richard67 - edited - 18 Sep 2025

dgrammatiko - comment - 18 Sep 2025

It’s ok to update the polyfill

brianteeman - comment - 18 Sep 2025

did a quick check and all seems good so far. There is a relevant deprecation in tinyMCE but we dont need to worry about it until tinymce9

richard67 - comment - 18 Sep 2025

@brianteeman Thanks for checking so far. The only outstanding major NPM update is the es-module-shims. After that I will have do add testing instructions and make a PR for the developer documentation. I hope to have it ready in the next few days.

richard67 - change - 18 Sep 2025

The description was changed

richard67 - edited - 18 Sep 2025

Fedik - comment - 18 Sep 2025

Do you think we can safely update the NPM dependency "es-module-shims" from 1.10.1 to 2.6.2?

yes, it should be good

richard67 - change - 18 Sep 2025

The description was changed

richard67 - edited - 18 Sep 2025

richard67 - comment - 18 Sep 2025

The direct non-dev NPM dependencies "accessibility", "diff", "choices.js" and "cropperjs" will be done with separate PRs.

"shepherd.js" and "totp-generator" (the latter is dev and only used by our MFA system tests) cannot be updated, the former for license reasons and the latter because it does not work.

brianteeman - comment - 18 Sep 2025

accessibility can not be updated

richard67 - change - 18 Sep 2025

The description was changed

richard67 - edited - 18 Sep 2025

richard67 - change - 18 Sep 2025

The description was changed

richard67 - edited - 18 Sep 2025

brianteeman - comment - 18 Sep 2025

tinymce just had another release

richard67 - comment - 18 Sep 2025

Thanks. Will check anyway tomorrow.

richard67 - comment - 18 Sep 2025

tinymce just had another release

@brianteeman Where? Latest is 8.1.2 from 12 hours ago: https://github.com/tinymce/tinymce/tags . My PR is already updated with that.

brianteeman - comment - 18 Sep 2025

Sorry you're correct. Three releases in two days got me confused

richard67 - change - 19 Sep 2025

The description was changed

richard67 - edited - 19 Sep 2025

richard67 - change - 19 Sep 2025

The description was changed

richard67 - edited - 19 Sep 2025

richard67 - change - 19 Sep 2025

The description was changed

richard67 - edited - 19 Sep 2025

richard67 - change - 19 Sep 2025

Title

…

[6.0] ~~[WiP]~~ Update Composer and NPM dependencies for 6.0.0-rc1

[6.0] Update Composer and NPM dependencies for 6.0.0-rc1

richard67 - edited - 19 Sep 2025

richard67 - change - 19 Sep 2025

The description was changed

richard67 - edited - 19 Sep 2025

richard67 - change - 19 Sep 2025

The description was changed

richard67 - edited - 19 Sep 2025

bembelimen - change - 20 Sep 2025

Status	Pending	⇒	Fixed in Code Base
Closed_Date	0000-00-00 00:00:00	⇒	2025-09-20 15:24:26
Closed_By		⇒	bembelimen
Labels	Added: Documentation Required

bembelimen - close - 20 Sep 2025

bembelimen - merge - 20 Sep 2025

bembelimen - comment - 20 Sep 2025

Thx

richard67 - comment - 20 Sep 2025

@dgrammatiko Could you also review the PR for 5.4-dev, #46099 ?

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#46100] - [6.0] Update Composer and NPM dependencies for 6.0.0-rc1

Summary of Changes

Major Updates

Other Notable Updates

Updated dependencies

Composer Dependencies (non-dev)

NPM Dependencies (non-dev)

Composer Dependencies (dev)

NPM Dependencies (dev)

Testing Instructions

Test 1: Check package build - Variant 1

Test 1: Check package build - Variant 2

Test 2: Check if Joomla still works

Actual result BEFORE applying this Pull Request

Expected result AFTER applying this Pull Request

Link to documentations

Add a Comment