[#46429] - [5.4] NPM audit fix security vulnerabilities in indirect development dependencies
- Fixed in Code Base
- 10 Nov 2025
- Medium
- Build: 5.4-dev
- # 46429
- Diff
- richard67:5.4-dev-npm-audit-fix-2025-11-09
User tests: Successful: Unsuccessful:
Pull Request for Issue # .
Summary of Changes
This pull request (PR) fixes one low severity and 3 moderate severity security vulnerabilities in indirect NPM development dependencies reported by npm audit by using npm audit fix.
Testing Instructions
It needs a development environment with a git clone, composer and npm.
- If not done before, run
composer installandnpm ci. - Run
npm audit. - Check the result.
Actual result BEFORE applying this Pull Request
# npm audit report
min-document <=2.19.0
min-document vulnerable to prototype pollution - https://github.com/advisories/GHSA-rx8g-88g5-qh64
fix available via `npm audit fix`
node_modules/min-document
nodemailer <7.0.7
Severity: moderate
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict - https://github.com/advisories/GHSA-mm7p-fcc7-pg87
fix available via `npm audit fix`
node_modules/nodemailer
node_modules/smtp-server/node_modules/nodemailer
mailparser 2.3.1 - 3.7.4
Depends on vulnerable versions of nodemailer
node_modules/mailparser
smtp-server 2.0.0 - 3.14.0
Depends on vulnerable versions of nodemailer
node_modules/smtp-server
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.2.1, which is a breaking change
node_modules/tinymce
5 vulnerabilities (1 low, 4 moderate)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Expected result AFTER applying this Pull Request
# npm audit report
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.2.1, which is a breaking change
node_modules/tinymce
1 moderate severity vulnerability
To address all issues (including breaking changes), run:
npm audit fix --force
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | NPM Change |
When I check the values of package-lock.json after locally running npm audit I have one additional change not present in this pr
@brianteeman Maybe your branch was not up to date? If you check the file in my PR you will see the versions are already 5.4.1:
Lines 1 to 12 in a6f240f
must have been thatsorry for the noise
I have tested this item ✅ successfully on a6f240f
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46429.
@brianteeman Thanks for testing.
I have tested this item ✅ successfully on a6f240f
Tested with JBT
- Seen the 5 vulnerabilities (1 low, 4 moderate) before
- Applied PR with
gh pr checkout 46429and runningnpm audit reportshows the 1 moderate severity vulnerability - Gone back with
git switch -, updated NPM withnpm install -g npm@latestand didnpm audit fixby own and got exactly the samepackage-lock.jsonfile
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46429.
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2025-11-10 06:19:43 |
| Closed_By | ⇒ | muhme | |
| Labels |
Added:
NPM Resource Changed
PR-5.4-dev
|
||
Thank you @richard67 for your contribution. Thank you @brianteeman for testing.
When I check the values of package-lock.json after locally running npm audit I have one additional change not present in this pr