[#47621] - [5.4] NPM update indirect development dependencies to fix 3 security vulnerabilities
- Fixed in Code Base
- 19 Apr 2026
- Medium
- Build: 5.4-dev
- # 47621
- Diff
- richard67:5.4-dev-npm-audit-fix-2026-04-18
User tests: Successful: Unsuccessful:
Pull Request resolves # .
- I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.
Summary of Changes
This pull request (PR) fixes 3 moderate severity security vulnerabilities in indirect NPM dependencies reported by npm audit by using npm audit fix.
All dependencies are indirect development dfependencies.
Testing Instructions
It needs a development environment with a git clone, composer and npm.
- If not done before, run
composer installandnpm ci. - Run
npm audit. - Check the result.
Actual result BEFORE applying this Pull Request
# npm audit report
nodemailer <=8.0.4
Severity: moderate
Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) - https://github.com/advisories/GHSA-vvjj-xcjg-gr5g
fix available via `npm audit fix`
node_modules/nodemailer
mailparser 2.3.1 - 3.9.6
Depends on vulnerable versions of nodemailer
node_modules/mailparser
smtp-server 2.0.0 - 3.18.3
Depends on vulnerable versions of nodemailer
node_modules/smtp-server
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.4.0, which is a breaking change
node_modules/tinymce
4 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Expected result AFTER applying this Pull Request
# npm audit report
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.4.0, which is a breaking change
node_modules/tinymce
1 moderate severity vulnerability
To address all issues (including breaking changes), run:
npm audit fix --force
Link to documentations
Please select:
-
Documentation link for guide.joomla.org:
-
No documentation changes for guide.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | NPM Change |
I have tested this item ✅ successfully on 95a4d39
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47621.
| Status | Pending | ⇒ | Ready to Commit |
| Labels |
Added:
NPM Resource Changed
bug
PR-5.4-dev
|
||
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47621.
| Labels |
Added:
RTC
|
||
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2026-04-19 06:04:35 |
| Closed_By | ⇒ | muhme |
Thank you very much @richard67 for your contribution. Thanks to @brianteeman and @krishnagandhicode for testing.
I have tested this item ✅ successfully on 95a4d39
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47621.