Joomla! Issue Tracker | Joomla! CMS #46590 - [5.4] NPM audit fix security vulnerabilities in development dependencies 2025-12-19

NPM Resource Changed bug PR-5.4-dev

Fixed in Code Base
19 Dec 2025
Medium
Build: 5.4-dev
# 46590
Diff
richard67:5.4-dev-npm-audit-fix-2025-12-19

Pending

User tests: Successful: Unsuccessful:

richard67
19 Dec 2025

Pull Request for Issue # .

Summary of Changes

This pull request (PR) fixes two high severity security vulnerability in NPM development dependencies reported by npm audit by using npm audit fix.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

If not done before, run composer install and npm ci.
Run npm audit.
Check the result.

Actual result BEFORE applying this Pull Request

# npm audit report

systeminformation  <5.27.14
Severity: high
systeminformation has a Command Injection vulnerability in fsSize() function on Windows - https://github.com/advisories/GHSA-wphj-fx3q-84ch
fix available via `npm audit fix`
node_modules/systeminformation
  cypress  15.1.0 - 15.8.0
  Depends on vulnerable versions of systeminformation
  node_modules/cypress

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.3.1, which is a breaking change
node_modules/tinymce

3 vulnerabilities (1 moderate, 2 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Expected result AFTER applying this Pull Request

# npm audit report

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.3.1, which is a breaking change
node_modules/tinymce

1 moderate severity vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force

Link to documentations

Please select:

Documentation link for docs.joomla.org:
No documentation changes for docs.joomla.org needed
Pull Request link for manual.joomla.org:
No documentation changes for manual.joomla.org needed

aef84ac 19 Dec 2025

NPM audit fix dev dependencies 2025-12-19

richard67 - open - 19 Dec 2025

richard67 - change - 19 Dec 2025

Status

New

⇒

Pending

joomla-cms-bot - change - 19 Dec 2025

Category

⇒

NPM Change

brianteeman - test_item - 19 Dec 2025 - Tested successfully

brianteeman - comment - 19 Dec 2025

I have tested this item ✅ successfully on aef84ac

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46590.}

Bodge-IT - test_item - 19 Dec 2025 - Tested successfully

Bodge-IT - comment - 19 Dec 2025

I have tested this item ✅ successfully on aef84ac

2 high vulnerabilities cleared
1 moderate remaining

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46590.}

richard67 - change - 19 Dec 2025

Status	Pending	⇒	Fixed in Code Base
Closed_Date	0000-00-00 00:00:00	⇒	2025-12-19 13:37:04
Closed_By		⇒	richard67
Labels	Added: NPM Resource Changed bug PR-5.4-dev

richard67 - close - 19 Dec 2025

richard67 - merge - 19 Dec 2025

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#46590] - [5.4] NPM audit fix security vulnerabilities in development dependencies 2025-12-19