User tests: Successful: Unsuccessful:
Pull Request resolves # .
This pull request (PR) fixes one high severity security vulnerability in the indirect NPM development dependency "lodash" reported by npm audit by using npm audit fix.
The npm audit warning has appeared today so it was not included in my previous PR #47530 .
It needs a development environment with a git clone, composer and npm.
composer install and npm ci.npm audit.# npm audit report
lodash <=4.17.23
Severity: high
lodash vulnerable to Code Injection via `_.template` imports key names - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - https://github.com/advisories/GHSA-f23m-r3pf-42rh
fix available via `npm audit fix`
node_modules/lodash
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.4.0, which is a breaking change
node_modules/tinymce
2 vulnerabilities (1 moderate, 1 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
# npm audit report
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.4.0, which is a breaking change
node_modules/tinymce
1 moderate severity vulnerability
To address all issues (including breaking changes), run:
npm audit fix --force
Please select:
Documentation link for guide.joomla.org:
No documentation changes for guide.joomla.org needed
Pull Request link for manual.joomla.org:
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
| Category | ⇒ | NPM Change |
I have tested this item ✅ successfully on 9d88ded
| Status | Pending | ⇒ | Ready to Commit |
| Labels |
Added:
NPM Resource Changed
bug
PR-5.4-dev
|
||
RTC
| Labels |
Added:
RTC
|
||
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2026-04-04 06:08:28 |
| Closed_By | ⇒ | richard67 |
I have tested this item ✅ successfully on 9d88ded
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47534.