Joomla! Issue Tracker | Joomla! CMS #47407 - [6.1] NPM update indirect dependency "flatted" to fix a high severity security vulnerability

NPM Resource Changed PR-6.1-dev

Fixed in Code Base
17 Mar 2026
Medium
Build: 6.1-dev
# 47407
Diff
richard67:6.1-dev-npm-audit-fix-2026-03-17

Pending

User tests: Successful: Unsuccessful:

richard67
17 Mar 2026

Pull Request resolves # .

I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

This pull request (PR) fixes one high severity security vulnerability in the indirect NPM non-development dependency "flatted" reported by npm audit by using npm audit fix.

it is the same as PR #47406 for 5.4-dev.

In the 6.0-dev branch this has already been done with commit a305da2 in the upmerge PR #47402 .

Testing Instructions

It needs a development environment with a git clone, composer and npm.

If not done before, run composer install and npm ci.
Run npm audit.
Check the result.

Actual result BEFORE applying this Pull Request

# npm audit report

flatted  <3.4.0
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase - https://github.com/advisories/GHSA-25h7-pfq9-p65f
fix available via `npm audit fix`
node_modules/flatted

1 high severity vulnerability

To address all issues, run:
  npm audit fix

Expected result AFTER applying this Pull Request

found 0 vulnerabilities

Link to documentations

Please select:

Documentation link for guide.joomla.org:
No documentation changes for guide.joomla.org needed
Pull Request link for manual.joomla.org:
No documentation changes for manual.joomla.org needed

786c03f 17 Mar 2026

NPM fix audit for non-dev dependency "flatted"

richard67 - open - 17 Mar 2026

richard67 - change - 17 Mar 2026

Status

New

⇒

Pending

joomla-cms-bot - change - 17 Mar 2026

Category

⇒

NPM Change

richard67 - change - 17 Mar 2026

Title

…

[6.1] NPM update indirect ependency "flatted" to fix a high severity security vulnerability

[6.1] NPM update indirect dependency "flatted" to fix a high severity security vulnerability

richard67 - edited - 17 Mar 2026

brianteeman - test_item - 17 Mar 2026 - Tested successfully

brianteeman - comment - 17 Mar 2026

I have tested this item ✅ successfully on 786c03f

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47407.}

richard67 - comment - 17 Mar 2026

@tecpromotion @HLeithner Feel free to close this PR if you will do it yourself e.g. with a general NPM update.

tecpromotion - change - 17 Mar 2026

Status	Pending	⇒	Fixed in Code Base
Closed_Date	0000-00-00 00:00:00	⇒	2026-03-17 12:58:32
Closed_By		⇒	tecpromotion
Labels	Added: NPM Resource Changed PR-6.1-dev

tecpromotion - close - 17 Mar 2026

tecpromotion - merge - 17 Mar 2026

tecpromotion - comment - 17 Mar 2026

Thanks @richard67 and @brianteeman

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#47407] - [6.1] NPM update indirect dependency "flatted" to fix a high severity security vulnerability