[#46758] - [5.4] NPM audit fix one low and one moderate severity security vulnerability
- Fixed in Code Base
- 26 Jan 2026
- Medium
- Build: 5.4-dev
- # 46758
- Diff
- richard67:5.4-dev-npm-audit-fix-2026-01-25
User tests: Successful: Unsuccessful:
Pull Request for Issue # .
Summary of Changes
This pull request (PR) fixes one low and one moderate severity security vulnerability in NPM dependencies reported by npm audit by using npm audit fix.
This updates the direct non-developer dependency "diff" from 5.3.0 to 5.2.2 and the indirect development dependency "loadsh" from 4.7.21 to 4.7.23.
@Bodge-IT @softforge @muhme In 6.0-dev the "diff" dependency has already been updated with PR #46713 from 8.0.2 to 8.0.3 to fix the same vulnerability. At that time there was no fix for their version 5. Now we have it in this PR here.
For the "lodash" dependency I've made PR #46759 for 6.0-dev to avoid ugly merge conflicts in the upmerge. @HLeithner @tecpromotion That update will also be needed in 6.1-dev. I can make a separate PR for that to avoid merge conflicts for your upmerge, but if you plan do do another, general NPM update anway, it would not need my separate 6.1-dev PR.
Testing Instructions
It needs a development environment with a git clone, composer and npm.
- If not done before, run
composer installandnpm ci. - Run
npm audit. - Check the result.
Actual result BEFORE applying this Pull Request
# npm audit report
diff 5.0.0 - 5.2.1
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix`
node_modules/diff
lodash 4.0.0 - 4.17.21
Severity: moderate
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions - https://github.com/advisories/GHSA-xxjr-mmjv-4gpg
fix available via `npm audit fix`
node_modules/lodash
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.3.2, which is a breaking change
node_modules/tinymce
3 vulnerabilities (1 low, 2 moderate)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Expected result AFTER applying this Pull Request
# npm audit report
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.3.2, which is a breaking change
node_modules/tinymce
1 moderate severity vulnerability
To address all issues (including breaking changes), run:
npm audit fix --force
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | NPM Change |
| Labels |
Added:
NPM Resource Changed
bug
PR-5.4-dev
|
||
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2026-01-26 13:39:49 |
| Closed_By | ⇒ | muhme |
Thank you @richard67.