Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#46662] - [5.4] NPM audit fix security vulnerabilities in development dependencies 2026-01-10

NPM Resource Changed bug PR-5.4-dev Pending

User tests: Successful: Unsuccessful:

avatar richard67
richard67
10 Jan 2026

Pull Request for Issue # .

Summary of Changes

This pull request (PR) fixes two high and one low severity security vulnerabilities in NPM development dependencies reported by npm audit by using npm audit fix.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

  1. If not done before, run composer install and npm ci.
  2. Run npm audit.
  3. Check the result.

Actual result BEFORE applying this Pull Request

# npm audit report

@smithy/config-resolver  <4.4.0
AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value - https://github.com/advisories/GHSA-6475-r3vj-m8vf
fix available via `npm audit fix`
node_modules/@smithy/config-resolver

qs  <6.14.1
Severity: high
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
fix available via `npm audit fix`
node_modules/qs
  @cypress/request  <=3.0.9
  Depends on vulnerable versions of qs
  node_modules/@cypress/request

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.3.1, which is a breaking change
node_modules/tinymce

4 vulnerabilities (1 low, 1 moderate, 2 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Expected result AFTER applying this Pull Request

# npm audit report

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.3.1, which is a breaking change
node_modules/tinymce

1 moderate severity vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar richard67 richard67 - open - 10 Jan 2026
avatar richard67 richard67 - change - 10 Jan 2026
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 10 Jan 2026
Category NPM Change
avatar richard67 richard67 - change - 10 Jan 2026
Labels Added: NPM Resource Changed bug PR-5.4-dev
avatar richard67 richard67 - change - 10 Jan 2026
The description was changed
avatar richard67 richard67 - edited - 10 Jan 2026
avatar brianteeman brianteeman - test_item - 11 Jan 2026 - Tested successfully
avatar brianteeman
brianteeman - comment - 11 Jan 2026

I have tested this item ✅ successfully on 825894f

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46662.

avatar richard67 richard67 - alter_testresult - 12 Jan 2026 - brianteeman: Tested successfully
avatar muhme muhme - change - 13 Jan 2026
Status Pending Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2026-01-13 15:26:25
Closed_By muhme
avatar muhme muhme - close - 13 Jan 2026
avatar muhme muhme - merge - 13 Jan 2026
avatar muhme
muhme - comment - 13 Jan 2026

Thank you @richard67 for your contribution. Thank you @brianteeman for testing.

Add a Comment

Login with GitHub to post a comment