Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#46503] - [6.0] NPM audit fix security vulnerabilities in indirect development dependencies 2025-11-26

RTC NPM Resource Changed bug PR-6.0-dev Pending

User tests: Successful: Unsuccessful:

avatar richard67
richard67
26 Nov 2025

Pull Request for Issue # .

Summary of Changes

This pull request (PR) fixes one high severity and one moderate severity security vulnerability in indirect NPM development dependencies reported by npm audit by using npm audit fix.

Same as PR #46502 for 5.4-dev, but here for 6.0-dev to avoid ugly merge conflicts for the upmerge after that.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

  1. If not done before, run composer install and npm ci.
  2. Run npm audit.
  3. Check the result.

Actual result BEFORE applying this Pull Request

# npm audit report

glob  11.0.0 - 11.0.3
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/glob

js-yaml  4.0.0 - 4.1.0
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/js-yaml

2 vulnerabilities (1 moderate, 1 high)

To address all issues, run:
  npm audit fix

Expected result AFTER applying this Pull Request

found 0 vulnerabilities

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar richard67 richard67 - open - 26 Nov 2025
avatar richard67 richard67 - change - 26 Nov 2025
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 26 Nov 2025
Category NPM Change
avatar muhme muhme - change - 29 Nov 2025
Title
[6.0] NPM audit fix security vulnerabilities in indirect development dependencies 2025-11-16
[6.0] NPM audit fix security vulnerabilities in indirect development dependencies 2025-11-26
avatar muhme muhme - edited - 29 Nov 2025
avatar muhme muhme - test_item - 29 Nov 2025 - Tested successfully
avatar muhme
muhme - comment - 29 Nov 2025

I have tested this item ✅ successfully on 08325f1

  • Using node v24.11.1
  • Seen the 2 vulnerabilities (1 high, 1 moderate) before
  • Applied PR with gh pr checkout 46502 and running npm audit reports 0 vulnerabilities
  • Saved package-lock.json file for comparisation, gone back with git switch -, did npm audit fix by own and got exactly the same package-lock.json file
  • The license change for two packages from ISC to BlueOak-1.0.0 looks for my simple understanding as in OSI-compatible spirit.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46503.
avatar brianteeman brianteeman - test_item - 30 Nov 2025 - Tested successfully
avatar brianteeman
brianteeman - comment - 30 Nov 2025

I have tested this item ✅ successfully on 08325f1

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46503.

avatar alikon alikon - change - 30 Nov 2025
Status Pending Ready to Commit
avatar alikon
alikon - comment - 30 Nov 2025

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46503.

avatar richard67 richard67 - change - 30 Nov 2025
Labels Added: RTC NPM Resource Changed bug PR-6.0-dev

Add a Comment

Login with GitHub to post a comment