[#47406] - [5.4] NPM update indirect dependency "flatted" to fix a high severity security vulnerability
- Fixed in Code Base
- 17 Mar 2026
- Medium
- Build: 5.4-dev
- # 47406
- Diff
- richard67:5.4-dev-npm-audit-fix-2026-03-17
User tests: Successful: Unsuccessful:
Pull Request resolves # .
- I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.
Summary of Changes
This pull request (PR) fixes one high severity security vulnerability in the indirect NPM non-development dependency "flatted" reported by npm audit by using npm audit fix.
In the 6.0-dev branch this has already been done with commit a305da2 in the upmerge PR #47402 .
Testing Instructions
It needs a development environment with a git clone, composer and npm.
- If not done before, run
composer installandnpm ci. - Run
npm audit. - Check the result.
Actual result BEFORE applying this Pull Request
# npm audit report
flatted <3.4.0
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase - https://github.com/advisories/GHSA-25h7-pfq9-p65f
fix available via `npm audit fix`
node_modules/flatted
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.3.2, which is a breaking change
node_modules/tinymce
2 vulnerabilities (1 moderate, 1 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Expected result AFTER applying this Pull Request
# npm audit report
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.3.2, which is a breaking change
node_modules/tinymce
1 moderate severity vulnerability
To address all issues (including breaking changes), run:
npm audit fix --force
Link to documentations
Please select:
-
Documentation link for guide.joomla.org:
-
No documentation changes for guide.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | NPM Change |
| Title |
|
||||||
I have tested this item ✅ successfully on 4048a61
Tested successfully, got the same results as mentioned in the pr
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47406.
I have tested this item ✅ successfully on 4048a61
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47406.
| Status | Pending | ⇒ | Ready to Commit |
| Labels |
Added:
NPM Resource Changed
PR-5.4-dev
|
||
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47406.
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2026-03-17 16:42:44 |
| Closed_By | ⇒ | muhme | |
| Labels |
Added:
RTC
|
||
Thank you @richard67 for your contribution. Thank yoy @brianteeman, @adarshdubey03 and @krishnagandhicode for testing. Thank you @tecpromotion for review.
I have tested this item ✅ successfully on 4048a61
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47406.