[#46544] - [6.1] NPM audit fix security vulnerabilities in indirect development dependencies 2025-12-07
- Closed
- 7 Dec 2025
- Medium
- Build: 6.1-dev
- # 46544
- Diff
- richard67:6.1-dev-npm-audit-fix-2025-12-07
User tests: Successful: Unsuccessful:
Pull Request for Issue # .
Summary of Changes
This pull request (PR) fixes one high severity and one moderate severity security vulnerability in indirect NPM development dependencies reported by npm audit by using npm audit fix.
It is the same as PR #46503 for 6.0-dev, which for some reason was not merged up with PR #46536 .
There are meanwhile 4 new low severity vulnerabilities found, which are all related to the odemailer and can not be fixed without the --force option. These have to be handled separately with other PRs for the diverse branches.
Testing Instructions
It needs a development environment with a git clone, composer and npm.
- If not done before, run
composer installandnpm ci. - Run
npm audit. - Check the result.
Actual result BEFORE applying this Pull Request
# npm audit report
glob 11.0.0 - 11.0.3
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/glob
js-yaml 4.0.0 - 4.1.0
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/js-yaml
nodemailer <=7.0.10
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls - https://github.com/advisories/GHSA-rcmh-qjqh-p98v
fix available via `npm audit fix --force`
Will install smtp-tester@0.6.3, which is a breaking change
node_modules/nodemailer
mailparser >=2.3.1
Depends on vulnerable versions of nodemailer
node_modules/mailparser
smtp-tester >=1.0.0
Depends on vulnerable versions of mailparser
Depends on vulnerable versions of smtp-server
node_modules/smtp-tester
smtp-server >=2.0.0
Depends on vulnerable versions of nodemailer
node_modules/smtp-server
6 vulnerabilities (4 low, 1 moderate, 1 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Expected result AFTER applying this Pull Request
# npm audit report
nodemailer <=7.0.10
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls - https://github.com/advisories/GHSA-rcmh-qjqh-p98v
fix available via `npm audit fix --force`
Will install smtp-tester@1.2.0, which is a breaking change
node_modules/nodemailer
mailparser >=2.3.1
Depends on vulnerable versions of nodemailer
node_modules/mailparser
smtp-tester >=1.0.0
Depends on vulnerable versions of mailparser
Depends on vulnerable versions of smtp-server
node_modules/smtp-tester
smtp-server >=2.0.0
Depends on vulnerable versions of nodemailer
node_modules/smtp-server
4 low severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | NPM Change |
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2025-12-07 11:27:14 |
| Closed_By | ⇒ | HLeithner | |
| Labels |
Added:
NPM Resource Changed
PR-6.1-dev
|
||
@richard67 stefan is has already a pr in progress for composer and npm update, if ok for you I'm closing this for now. thanks
Ping @HLeithner @tecpromotion .