[#46571] - [5.4] NPM audit fix security vulnerabilities in indirect development dependencies 2025-12-13
- Fixed in Code Base
- 14 Dec 2025
- Medium
- Build: 5.4-dev
- # 46571
- Diff
- richard67:5.4-dev-npm-audit-fix-2025-12-13
User tests: Successful: Unsuccessful:
Pull Request for Issue # .
Summary of Changes
This pull request (PR) fixes three low severity security vulnerability in indirect NPM development dependencies reported by npm audit by using npm audit fix.
Testing Instructions
It needs a development environment with a git clone, composer and npm.
- If not done before, run
composer installandnpm ci. - Run
npm audit. - Check the result.
Actual result BEFORE applying this Pull Request
# npm audit report
nodemailer <=7.0.10
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls - https://github.com/advisories/GHSA-rcmh-qjqh-p98v
fix available via `npm audit fix`
node_modules/nodemailer
mailparser 2.3.1 - 3.9.0
Depends on vulnerable versions of nodemailer
node_modules/mailparser
smtp-server 2.0.0 - 3.16.1
Depends on vulnerable versions of nodemailer
node_modules/smtp-server
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.3.0, which is a breaking change
node_modules/tinymce
4 vulnerabilities (3 low, 1 moderate)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Expected result AFTER applying this Pull Request
# npm audit report
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.3.0, which is a breaking change
node_modules/tinymce
1 moderate severity vulnerability
To address all issues (including breaking changes), run:
npm audit fix --force
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | NPM Change |
| Labels |
Added:
NPM Resource Changed
bug
PR-5.4-dev
|
||
I have tested this item ✅ successfully on 26e52f5
* Seen the 4 vulnerabilities (3 low, 1 moderate)
- Applied PR with
gh pr checkout 46571and runningnpm auditreport shows only the one moderate tinymce severity vulnerability remaining, as expected - Using node v24.11.1, saved
package-lock.jsonfile for comparisation, gone back withgit switch -, didnpm audit fixby own and got exactly the samepackage-lock.jsonfile - NPM package versions are only updated in minor or patch versions
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46571.
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2025-12-14 14:41:23 |
| Closed_By | ⇒ | muhme |
Thank you @richard67 for your contribution. Thank you @brianteeman for your test.
I have tested this item ✅ successfully on 359896f
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46571.