Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#46430] - [6.0] NPM audit fix security vulnerabilities in indirect development dependencies

RTC NPM Resource Changed PR-6.0-dev Pending

User tests: Successful: Unsuccessful:

avatar richard67
richard67
9 Nov 2025

Pull Request for Issue # .

Summary of Changes

This pull request (PR) fixes one low severity and 3 moderate severity security vulnerabilities in indirect NPM development dependencies reported by npm audit by using npm audit fix.

Same as PR #46429 for 5.4-dev, but here for 6.0-dev to avoid ugly merge conflicts for the upmerge after that.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

  1. If not done before, run composer install and npm ci.
  2. Run npm audit.
  3. Check the result.

Actual result BEFORE applying this Pull Request

# npm audit report

min-document  <=2.19.0
min-document vulnerable to prototype pollution - https://github.com/advisories/GHSA-rx8g-88g5-qh64
fix available via `npm audit fix`
node_modules/min-document

nodemailer  <7.0.7
Severity: moderate
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict - https://github.com/advisories/GHSA-mm7p-fcc7-pg87
fix available via `npm audit fix`
node_modules/nodemailer
node_modules/smtp-server/node_modules/nodemailer
  mailparser  2.3.1 - 3.7.4
  Depends on vulnerable versions of nodemailer
  node_modules/mailparser
  smtp-server  2.0.0 - 3.14.0
  Depends on vulnerable versions of nodemailer
  node_modules/smtp-server

4 vulnerabilities (1 low, 3 moderate)

To address all issues, run:
  npm audit fix

Expected result AFTER applying this Pull Request

found 0 vulnerabilities

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar richard67 richard67 - open - 9 Nov 2025
avatar richard67 richard67 - change - 9 Nov 2025
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 9 Nov 2025
Category NPM Change
avatar richard67
richard67 - comment - 9 Nov 2025

@brianteeman Could you also test this one here? Thanks in advance.

avatar brianteeman brianteeman - test_item - 9 Nov 2025 - Tested successfully
avatar brianteeman
brianteeman - comment - 9 Nov 2025

I have tested this item ✅ successfully on d8d6e46

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46430.

avatar muhme muhme - test_item - 10 Nov 2025 - Tested successfully
avatar muhme
muhme - comment - 10 Nov 2025

I have tested this item ✅ successfully on d8d6e46

Tested with JBT

  • Seen the 4 vulnerabilities (1 low, 3 moderate) before
  • Applied PR with gh pr checkout 46430 and running npm audit report found 0 vulnerabilities
  • Gone back with git switch -, updated NPM 11.6.2 with npm install -g npm@latest and did npm audit fix by own and got exactly the same package-lock.json file
  • npm ci is still working and reports found 0 vulnerabilities
    This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46430.
avatar muhme muhme - change - 10 Nov 2025
Status Pending Ready to Commit
avatar muhme
muhme - comment - 10 Nov 2025

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46430.

avatar Bodge-IT Bodge-IT - change - 10 Nov 2025
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2025-11-10 17:19:24
Closed_By Bodge-IT
Labels Added: RTC NPM Resource Changed PR-6.0-dev
avatar Bodge-IT Bodge-IT - close - 10 Nov 2025
avatar Bodge-IT Bodge-IT - merge - 10 Nov 2025
avatar Bodge-IT
Bodge-IT - comment - 10 Nov 2025

Thanks @richard67 for the PR and thanks testers for ...tests!

Add a Comment

Login with GitHub to post a comment