Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#46572] - [6.0] NPM audit fix security vulnerabilities in indirect development dependencies 2025-12-13

RTC NPM Resource Changed bug PR-6.0-dev Pending

User tests: Successful: Unsuccessful:

avatar richard67
richard67
13 Dec 2025

Pull Request for Issue # .

Summary of Changes

This pull request (PR) fixes three low severity security vulnerability in indirect NPM development dependencies reported by npm audit by using npm audit fix.

Same as PR #46571 for 5.4-dev, but here for 6.0-dev to avoid ugly merge conflicts for the upmerge after that.

In the 6.1-dev these vulnerabilities have already been fixed with PR #46546 .

Testing Instructions

It needs a development environment with a git clone, composer and npm.

  1. If not done before, run composer install and npm ci.
  2. Run npm audit.
  3. Check the result.

Actual result BEFORE applying this Pull Request

# npm audit report

nodemailer  <=7.0.10
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls - https://github.com/advisories/GHSA-rcmh-qjqh-p98v
fix available via `npm audit fix`
node_modules/nodemailer
  mailparser  2.3.1 - 3.9.0
  Depends on vulnerable versions of nodemailer
  node_modules/mailparser
  smtp-server  2.0.0 - 3.16.1
  Depends on vulnerable versions of nodemailer
  node_modules/smtp-server

3 low severity vulnerabilities

To address all issues, run:
  npm audit fix

Expected result AFTER applying this Pull Request

found 0 vulnerabilities

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar richard67 richard67 - open - 13 Dec 2025
avatar richard67 richard67 - change - 13 Dec 2025
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 13 Dec 2025
Category NPM Change
avatar richard67 richard67 - change - 13 Dec 2025
The description was changed
avatar richard67 richard67 - edited - 13 Dec 2025
avatar brianteeman brianteeman - test_item - 13 Dec 2025 - Tested successfully
avatar brianteeman
brianteeman - comment - 13 Dec 2025

I have tested this item ✅ successfully on a7a54c7

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46572.

avatar muhme muhme - test_item - 14 Dec 2025 - Tested successfully
avatar muhme
muhme - comment - 14 Dec 2025

I have tested this item ✅ successfully on a7a54c7

* Seen the 3 low severity vulnerabilities before

  • Applied PR with gh pr checkout 46572 and running npm audit report found 0 vulnerabilities
  • Using node v24.11.1, saved package-lock.json file for comparisation, gone back with git switch -, did npm audit fix by own and got exactly the same package-lock.json file
  • NPM package versions are only updated in minor or patch version
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46572.
avatar muhme muhme - change - 14 Dec 2025
Status Pending Ready to Commit
avatar muhme
muhme - comment - 14 Dec 2025

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46572.

avatar richard67
richard67 - comment - 14 Dec 2025

@Bodge-IT @softforge This PR here should go into 6.0.2 (and the upcoming 6.0.2-rc1). Best is to merge it before your next upmerge, and then in the upmerge ignore the package-lock.json completely, keeping the version from 6.0-dev.

avatar Bodge-IT Bodge-IT - change - 14 Dec 2025
Labels Added: RTC NPM Resource Changed bug PR-6.0-dev
avatar Bodge-IT Bodge-IT - change - 14 Dec 2025
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2025-12-14 21:47:38
Closed_By Bodge-IT
avatar Bodge-IT Bodge-IT - close - 14 Dec 2025
avatar Bodge-IT Bodge-IT - merge - 14 Dec 2025
avatar Bodge-IT
Bodge-IT - comment - 14 Dec 2025

Thanks @richard67, suggestion noted. Thanks @brianteeman & @muhme for tests

Add a Comment

Login with GitHub to post a comment