Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#47530] - [5.4] NPM update indirect dependencies to fix 8 security vulnerabilities

NPM Resource Changed bug PR-5.4-dev Pending

User tests: Successful: Unsuccessful:

avatar richard67
richard67
1 Apr 2026

Pull Request resolves # .

  • I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

This pull request (PR) fixes 4 high, 1 moderate and 3 low severity security vulnerabilities in indirect NPM dependencies reported by npm audit by using npm audit fix.

All dependencies are indirect, and except of the "flatted" they are all development dependencies.

Only flatted is listed when doing an npm audit --omit dev, but I think that might be misleading and we only use it for our system testing. However I am not 100 % sure about that.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

  1. If not done before, run composer install and npm ci.
  2. Run npm audit.
  3. Check the result.

Actual result BEFORE applying this Pull Request

# npm audit report

brace-expansion  <1.1.13 || >=4.0.0 <5.0.5
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/brace-expansion
node_modules/glob/node_modules/brace-expansion

fast-xml-parser  4.0.0-beta.3 - 5.5.6
Severity: high
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) - https://github.com/advisories/GHSA-8gc5-j5rx-235r
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser - https://github.com/advisories/GHSA-jp2q-39xq-3w4g
fix available via `npm audit fix`
node_modules/fast-xml-parser
  @aws-sdk/xml-builder  3.894.0 - 3.972.11
  Depends on vulnerable versions of fast-xml-parser
  node_modules/@aws-sdk/xml-builder

flatted  <=3.4.1
Severity: high
Prototype Pollution via parse() in NodeJS flatted - https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
fix available via `npm audit fix`
node_modules/flatted

nodemailer  <8.0.4
Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter - https://github.com/advisories/GHSA-c7w3-x93f-qmm8
fix available via `npm audit fix`
node_modules/mailparser/node_modules/nodemailer
node_modules/nodemailer
  mailparser  2.3.1 - 3.9.5
  Depends on vulnerable versions of nodemailer
  node_modules/mailparser
  smtp-server  2.0.0 - 3.18.2
  Depends on vulnerable versions of nodemailer
  node_modules/smtp-server

picomatch  <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/micromatch/node_modules/picomatch
node_modules/picomatch

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.4.0, which is a breaking change
node_modules/tinymce

9 vulnerabilities (3 low, 2 moderate, 4 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Expected result AFTER applying this Pull Request

# npm audit report

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.4.0, which is a breaking change
node_modules/tinymce

1 moderate severity vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force

Link to documentations

Please select:

  • Documentation link for guide.joomla.org:

  • No documentation changes for guide.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar richard67 richard67 - open - 1 Apr 2026
avatar richard67 richard67 - change - 1 Apr 2026
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 1 Apr 2026
Category NPM Change
avatar brianteeman brianteeman - test_item - 1 Apr 2026 - Tested successfully
avatar brianteeman
brianteeman - comment - 1 Apr 2026

I have tested this item ✅ successfully on 5fa26f5

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47530.

avatar muhme
muhme - comment - 2 Apr 2026

✅ Final check before merge with local git clone

  • Seen 10 vulnerabilities (3 low, 2 moderate, 5 high) before PR
  • Applied PR with gh pr checkout 47530
  • npm audit --omit dev shows only the one breaking-change tinymce moderate-severity-vulnerability as expected
    • Note: flatted is not listed for me today
avatar muhme muhme - change - 2 Apr 2026
Status Pending Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2026-04-02 05:43:25
Closed_By muhme
Labels Added: NPM Resource Changed bug PR-5.4-dev
avatar muhme muhme - close - 2 Apr 2026
avatar muhme muhme - merge - 2 Apr 2026
avatar muhme
muhme - comment - 2 Apr 2026

Thank you @richard67 for your contribution. Thank you @brianteeman for testing.

Add a Comment

Login with GitHub to post a comment