Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#46713] - [6.0] NPM audit fix low severity security vulnerability by updating diff from 8.0.2 to 8.0.3

RTC NPM Resource Changed bug PR-6.0-dev Pending

User tests: Successful: Unsuccessful:

avatar richard67
richard67
18 Jan 2026

Pull Request for Issue # .

Summary of Changes

This pull request (PR) fixes one low severity security vulnerability in NPM dependencies reported by npm audit by using npm audit fix.

@Bodge-IT @softforge @muhme In opposite to my previous PRs of this kind there is no corresponding PR in the 5.4-dev branch this time because in 5.4-dev it would mean a major update of the "diff dependency".

@HLeithner @tecpromotion In 6.1-dev the changes from this PR here have already been made with the last NPM dependency update, so simply ignore the changes when doing your upmerge after this PR here has been merged into 6.0-dev.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

  1. If not done before, run composer install and npm ci.
  2. Run npm audit.
  3. Check the result.

Actual result BEFORE applying this Pull Request

# npm audit report

diff  <8.0.3
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix`
node_modules/diff

1 low severity vulnerability

To address all issues, run:
  npm audit fix

Expected result AFTER applying this Pull Request

found 0 vulnerabilities

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar richard67 richard67 - open - 18 Jan 2026
avatar richard67 richard67 - change - 18 Jan 2026
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 18 Jan 2026
Category NPM Change
avatar brianteeman brianteeman - test_item - 19 Jan 2026 - Tested successfully
avatar brianteeman
brianteeman - comment - 19 Jan 2026

I have tested this item ✅ successfully on 25a59c1

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46713.

avatar muhme muhme - test_item - 19 Jan 2026 - Tested successfully
avatar muhme
muhme - comment - 19 Jan 2026

I have tested this item ✅ successfully on 25a59c1

Tested based on git clone

  • Seen the low severity vulnerability from jsdiff
  • Running npm audit fix by own and saved package-lock.json file
  • Applied PR with gh pr checkout 46713
  • Own created and patched package-lock.json files are identical
  • npm audit found 0 vulnerabilities
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46713.
avatar muhme muhme - change - 19 Jan 2026
Status Pending Ready to Commit
avatar muhme
muhme - comment - 19 Jan 2026

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46713.

avatar Bodge-IT Bodge-IT - change - 20 Jan 2026
Labels Added: RTC NPM Resource Changed bug PR-6.0-dev
avatar Bodge-IT Bodge-IT - change - 20 Jan 2026
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2026-01-20 11:43:29
Closed_By Bodge-IT
avatar Bodge-IT Bodge-IT - close - 20 Jan 2026
avatar Bodge-IT Bodge-IT - merge - 20 Jan 2026
avatar Bodge-IT
Bodge-IT - comment - 20 Jan 2026

Thanks @richard67 for the fix and @brianteeman & @muhme for testing

Add a Comment

Login with GitHub to post a comment