User tests: Successful: Unsuccessful:
Pull Request resolves # .
This pull request (PR) fixes 2 high severity security vulnerabilities in indirect NPM dependencies reported by npm audit by using npm audit fix.
All dependencies are indirect development dependencies.
It needs a development environment with a git clone, composer and npm.
composer install and npm ci.npm audit.# npm audit report
@babel/plugin-transform-modules-systemjs 7.12.0 - 7.29.0
Severity: high
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input - https://github.com/advisories/GHSA-fv7c-fp4j-7gwp
fix available via `npm audit fix`
node_modules/@babel/plugin-transform-modules-systemjs
fast-uri <=3.1.1
Severity: high
fast-uri vulnerable to path traversal via percent-encoded dot segments - https://github.com/advisories/GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to host confusion via percent-encoded authority delimiters - https://github.com/advisories/GHSA-v39h-62p7-jpjc
fix available via `npm audit fix`
node_modules/fast-uri
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.5.0, which is a breaking change
node_modules/tinymce
3 vulnerabilities (1 moderate, 2 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
# npm audit report
tinymce <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.5.0, which is a breaking change
node_modules/tinymce
1 moderate severity vulnerability
To address all issues (including breaking changes), run:
npm audit fix --force
Please select:
Documentation link for guide.joomla.org:
No documentation changes for guide.joomla.org needed
Pull Request link for manual.joomla.org:
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
| Category | ⇒ | NPM Change |
I have tested this item ✅ successfully on 6e75b12
I have tested this item ✅ successfully on 6e75b12
I have tested this item ✅ successfully on 6e75b12
| Status | Pending | ⇒ | Ready to Commit |
| Labels |
Added:
NPM Resource Changed
bug
PR-5.4-dev
|
||
RTC
RTC
| Labels |
Added:
RTC
|
||
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2026-05-11 06:56:14 |
| Closed_By | ⇒ | muhme |
Thank you very much @richard67 for your contribution. Thanks to @brianteeman and @krishnagandhicode for testing.
I have tested this item ✅ successfully on 6e75b12
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47753.