Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#47322] - [6.0] NPM update development dependencies to fix 9 security vulnerabilities

RTC NPM Resource Changed PR-6.0-dev Pending

User tests: Successful: Unsuccessful:

avatar richard67
richard67
7 Mar 2026

Pull Request resolves # .

  • I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

This pull request (PR) fixes 2 critical, 4 high, 1 moderate and 2 low severity security vulnerabilities in NPM development dependencies reported by npm audit by using npm audit fix.

As they are all development dependencies, they are not shipped with installation or update packages.

@Bodge-IT @softforge It is the same as PR #47321 for 5.4-dev, but here for 6.0-dev so you don't have to handle any merge conflict in the lock file. Simply merge this PR here into your 6.0-dev branch, and when the 5.4-dev PR will be merged and you do an upmerge after that, just ignore all changes in package-lock.json and keep the file from 6.0-dev.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

  1. If not done before, run composer install and npm ci.
  2. Run npm audit.
  3. Check the result.

Actual result BEFORE applying this Pull Request

# npm audit report

ajv  <6.14.0 || >=7.0.0-alpha.0 <8.18.0
Severity: moderate
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
fix available via `npm audit fix`
node_modules/ajv
node_modules/table/node_modules/ajv

fast-xml-parser  5.0.0 - 5.3.7
Severity: critical
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names - https://github.com/advisories/GHSA-m7jm-9gc2-mpf2
fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) - https://github.com/advisories/GHSA-jmr7-xgp7-cmfj
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder - https://github.com/advisories/GHSA-fj3w-jwp8-x2g3
fix available via `npm audit fix`
node_modules/fast-xml-parser
  @aws-sdk/xml-builder  3.894.0 - 3.972.4
  Depends on vulnerable versions of fast-xml-parser
  node_modules/@aws-sdk/xml-builder

immutable  5.0.0 - 5.1.4
Severity: high
Immutable is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-wf6x-7x77-mvgw
fix available via `npm audit fix`
node_modules/immutable

mailparser  <3.9.3
mailparser vulnerable to Cross-site Scripting - https://github.com/advisories/GHSA-7gmj-h9xc-mcxc
fix available via `npm audit fix`
node_modules/mailparser

minimatch  <=3.1.3 || 10.0.0 - 10.2.2
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix`
node_modules/glob/node_modules/minimatch
node_modules/minimatch

qs  6.7.0 - 6.14.1
qs's arrayLimit bypass in comma parsing allows denial of service - https://github.com/advisories/GHSA-w7fw-mjwx-w883
fix available via `npm audit fix`
node_modules/qs

rollup  4.0.0 - 4.58.0
Severity: high
Rollup 4 has Arbitrary File Write via Path Traversal - https://github.com/advisories/GHSA-mw96-cpmx-2vgc
fix available via `npm audit fix`
node_modules/rollup

systeminformation  <=5.30.7
Severity: high
Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation - https://github.com/advisories/GHSA-5vv4-hvf7-2h46
Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path - https://github.com/advisories/GHSA-9c88-49p5-5ggf
fix available via `npm audit fix`
node_modules/systeminformation

9 vulnerabilities (2 low, 1 moderate, 4 high, 2 critical)

To address all issues, run:
  npm audit fix

Expected result AFTER applying this Pull Request

found 0 vulnerabilities

Link to documentations

Please select:

  • Documentation link for guide.joomla.org:

  • No documentation changes for guide.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar richard67 richard67 - open - 7 Mar 2026
avatar richard67 richard67 - change - 7 Mar 2026
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 7 Mar 2026
Category NPM Change
avatar brianteeman brianteeman - test_item - 7 Mar 2026 - Tested successfully
avatar brianteeman
brianteeman - comment - 7 Mar 2026

I have tested this item ✅ successfully on 1a02f6c

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47322.

avatar muhme muhme - test_item - 7 Mar 2026 - Tested successfully
avatar muhme
muhme - comment - 7 Mar 2026

I have tested this item ✅ successfully on 1a02f6c

Tested with local git clone

  • The 9 vulnerabilities seen before the PR
  • Running npm audit fix by own and checked created package-lock.json is identical with PR
  • Applied PR with gh pr checkout 47322
  • npm audit found 0 vulnerabilities
  • Checked with npm ls --omit=dev the 8 updated packages are not production
  • Checked only rollup package version is set in package.json and updated
    This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47322.
avatar muhme muhme - change - 7 Mar 2026
Status Pending Ready to Commit
avatar muhme
muhme - comment - 7 Mar 2026

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47322.

avatar softforge softforge - change - 9 Mar 2026
Labels Added: RTC NPM Resource Changed PR-6.0-dev
avatar softforge softforge - change - 9 Mar 2026
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2026-03-09 16:26:39
Closed_By softforge
avatar softforge softforge - close - 9 Mar 2026
avatar softforge softforge - merge - 9 Mar 2026
avatar softforge
softforge - comment - 9 Mar 2026

Thank you @richard67 and testers

Add a Comment

Login with GitHub to post a comment