Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#47321] - [5.4] NPM update development dependencies to fix 9 security vulnerabilities

NPM Resource Changed PR-5.4-dev Pending

User tests: Successful: Unsuccessful:

avatar richard67
richard67
7 Mar 2026

Pull Request resolves # .

  • I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

This pull request (PR) fixes 2 critical, 4 high, 1 moderate and 2 low severity security vulnerabilities in NPM development dependencies reported by npm audit by using npm audit fix.

As they are all development dependencies, they are not shipped with installation or update packages.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

  1. If not done before, run composer install and npm ci.
  2. Run npm audit.
  3. Check the result.

Actual result BEFORE applying this Pull Request

# npm audit report

ajv  <6.14.0 || >=7.0.0-alpha.0 <8.18.0
Severity: moderate
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
fix available via `npm audit fix`
node_modules/ajv
node_modules/table/node_modules/ajv

fast-xml-parser  5.0.0 - 5.3.7
Severity: critical
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names - https://github.com/advisories/GHSA-m7jm-9gc2-mpf2
fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) - https://github.com/advisories/GHSA-jmr7-xgp7-cmfj
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder - https://github.com/advisories/GHSA-fj3w-jwp8-x2g3
fix available via `npm audit fix`
node_modules/fast-xml-parser
  @aws-sdk/xml-builder  3.894.0 - 3.972.4
  Depends on vulnerable versions of fast-xml-parser
  node_modules/@aws-sdk/xml-builder

immutable  5.0.0 - 5.1.4
Severity: high
Immutable is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-wf6x-7x77-mvgw
fix available via `npm audit fix`
node_modules/immutable

mailparser  <3.9.3
mailparser vulnerable to Cross-site Scripting - https://github.com/advisories/GHSA-7gmj-h9xc-mcxc
fix available via `npm audit fix`
node_modules/mailparser

minimatch  <=3.1.3 || 10.0.0 - 10.2.2
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix`
node_modules/glob/node_modules/minimatch
node_modules/minimatch

qs  6.7.0 - 6.14.1
qs's arrayLimit bypass in comma parsing allows denial of service - https://github.com/advisories/GHSA-w7fw-mjwx-w883
fix available via `npm audit fix`
node_modules/qs

rollup  4.0.0 - 4.58.0
Severity: high
Rollup 4 has Arbitrary File Write via Path Traversal - https://github.com/advisories/GHSA-mw96-cpmx-2vgc
fix available via `npm audit fix`
node_modules/rollup

systeminformation  <=5.30.7
Severity: high
Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation - https://github.com/advisories/GHSA-5vv4-hvf7-2h46
Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path - https://github.com/advisories/GHSA-9c88-49p5-5ggf
fix available via `npm audit fix`
node_modules/systeminformation

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.3.2, which is a breaking change
node_modules/tinymce

10 vulnerabilities (2 low, 2 moderate, 4 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Expected result AFTER applying this Pull Request

# npm audit report

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.3.2, which is a breaking change
node_modules/tinymce

1 moderate severity vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force

Link to documentations

Please select:

  • Documentation link for guide.joomla.org:

  • No documentation changes for guide.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar richard67 richard67 - open - 7 Mar 2026
avatar richard67 richard67 - change - 7 Mar 2026
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 7 Mar 2026
Category NPM Change
avatar brianteeman brianteeman - test_item - 7 Mar 2026 - Tested successfully
avatar brianteeman
brianteeman - comment - 7 Mar 2026

I have tested this item ✅ successfully on ede968c

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47321.

avatar muhme muhme - test_item - 7 Mar 2026 - Tested successfully
avatar muhme
muhme - comment - 7 Mar 2026

I have tested this item ✅ successfully on ede968c

Tested with local git clone

  • The 10 vulnerabilities seen before the PR
  • Running npm audit fix by own and checked created package-lock.json is identical with PR
  • Applied PR with gh pr checkout 47321
  • npm audit shows only the known one tinymce breaking change and moderate severity vulnerability
  • Checked with npm ls --omit=dev the 8 updated packages are not production
  • Checked only rollup package version is set in package.json and updated
    This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47321.
avatar muhme muhme - close - 7 Mar 2026
avatar muhme muhme - merge - 7 Mar 2026
avatar muhme muhme - change - 7 Mar 2026
Status Pending Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2026-03-07 18:47:21
Closed_By muhme
Labels Added: NPM Resource Changed PR-5.4-dev
avatar muhme
muhme - comment - 7 Mar 2026

Thank you @richard67 for your contribution. Thank you @brianteeman for testing.

avatar richard67
richard67 - comment - 7 Mar 2026

Thanks

Add a Comment

Login with GitHub to post a comment