[#47739] - [5.4] NPM update indirect development dependencies to fix 3 security vulnerabilities
- Pending
- Medium
- Build: 5.4-dev
- # 47739
- Diff
- richard67:5.4-dev-npm-audit-fix-2026-05-06
User tests: Successful: Unsuccessful:
Pull Request resolves # .
- I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.
Summary of Changes
This pull request (PR) fixes 3 moderate severity security vulnerabilities in indirect NPM dependencies reported by npm audit by using npm audit fix.
All dependencies are indirect development dependencies except of "postcss" which is not directly flagged as such but is an indirect dependency of "postcss-scss", which is a development dependency.
Testing Instructions
It needs a development environment with a git clone, composer and npm.
- If not done before, run
composer installandnpm ci. - Run
npm audit. - Check the result.
Actual result BEFORE applying this Pull Request
# npm audit report
fast-xml-parser <5.7.0
Severity: moderate
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters - https://github.com/advisories/GHSA-gh4j-gqv2-49f6
fix available via `npm audit fix`
node_modules/fast-xml-parser
@aws-sdk/xml-builder 3.894.0 - 3.972.18
Depends on vulnerable versions of fast-xml-parser
node_modules/@aws-sdk/xml-builder
postcss <8.5.10
Severity: moderate
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - https://github.com/advisories/GHSA-qx2v-qp2m-jg93
fix available via `npm audit fix`
node_modules/postcss
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.5.0, which is a breaking change
node_modules/tinymce
4 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Expected result AFTER applying this Pull Request
# npm audit report
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.5.0, which is a breaking change
node_modules/tinymce
1 moderate severity vulnerability
To address all issues (including breaking changes), run:
npm audit fix --force
Link to documentations
Please select:
-
Documentation link for guide.joomla.org:
-
No documentation changes for guide.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | NPM Change |
| Labels |
Added:
NPM Resource Changed
bug
PR-5.4-dev
|
||
I have tested this item ✅ successfully on 6df995e
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47739.
I have tested this item ✅ successfully on 6df995e
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47739.
I have tested this item ✅ successfully on 6df995e
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47739.
I have tested this item ✅ successfully on 6df995e
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47739.