Feeling Lucky
NPM Resource Changed
bug
PR-5.4-dev
[#46502] - [5.4] NPM audit fix security vulnerabilities in indirect development dependencies 2025-11-26
- Fixed in Code Base
- 29 Nov 2025
- Medium
- Build: 5.4-dev
- # 46502
- Diff
- richard67:5.4-dev-npm-audit-fix-2025-11-26
User tests: Successful: Unsuccessful:
Pull Request for Issue # .
Summary of Changes
This pull request (PR) fixes one high severity and one moderate severity security vulnerability in indirect NPM development dependencies reported by npm audit by using npm audit fix.
Testing Instructions
It needs a development environment with a git clone, composer and npm.
- If not done before, run
composer installandnpm ci. - Run
npm audit. - Check the result.
Actual result BEFORE applying this Pull Request
# npm audit report
glob 11.0.0 - 11.0.3
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/glob
js-yaml 4.0.0 - 4.1.0
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/js-yaml
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.2.2, which is a breaking change
node_modules/tinymce
3 vulnerabilities (2 moderate, 1 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Expected result AFTER applying this Pull Request
# npm audit report
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.2.2, which is a breaking change
node_modules/tinymce
1 moderate severity vulnerability
To address all issues (including breaking changes), run:
npm audit fix --force
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | NPM Change |
| Title |
|
||||||
| Labels |
Added:
NPM Resource Changed
bug
PR-5.4-dev
|
||
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2025-11-29 08:37:39 |
| Closed_By | ⇒ | muhme |
muhme
- comment
- 29 Nov 2025
Thank you @richard67 for your contribution.
I have tested this item ✅ successfully on f93544b
gh pr checkout 46502and runningnpm auditreport shows only the one moderate tinymce severity vulnerability remaining, as expectedpackage-lock.jsonfile for comparisation, gone back withgit switch -, didnpm audit fixby own and got exactly the samepackage-lock.jsonfileThis comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46502.