RTC NPM Resource Changed bug PR-5.4-dev Pending

User tests: Successful: Unsuccessful:

avatar richard67
richard67
10 May 2026

Pull Request resolves # .

  • I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

This pull request (PR) fixes 2 high severity security vulnerabilities in indirect NPM dependencies reported by npm audit by using npm audit fix.

All dependencies are indirect development dependencies.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

  1. If not done before, run composer install and npm ci.
  2. Run npm audit.
  3. Check the result.

Actual result BEFORE applying this Pull Request

# npm audit report

@babel/plugin-transform-modules-systemjs  7.12.0 - 7.29.0
Severity: high
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input - https://github.com/advisories/GHSA-fv7c-fp4j-7gwp
fix available via `npm audit fix`
node_modules/@babel/plugin-transform-modules-systemjs

fast-uri  <=3.1.1
Severity: high
fast-uri vulnerable to path traversal via percent-encoded dot segments - https://github.com/advisories/GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to host confusion via percent-encoded authority delimiters - https://github.com/advisories/GHSA-v39h-62p7-jpjc
fix available via `npm audit fix`
node_modules/fast-uri

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.5.0, which is a breaking change
node_modules/tinymce

3 vulnerabilities (1 moderate, 2 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Expected result AFTER applying this Pull Request

# npm audit report

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.5.0, which is a breaking change
node_modules/tinymce

1 moderate severity vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force

Link to documentations

Please select:

  • Documentation link for guide.joomla.org:

  • No documentation changes for guide.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar richard67 richard67 - open - 10 May 2026
avatar richard67 richard67 - change - 10 May 2026
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 10 May 2026
Category NPM Change
avatar brianteeman brianteeman - test_item - 10 May 2026 - Tested successfully
avatar brianteeman
brianteeman - comment - 10 May 2026

I have tested this item ✅ successfully on 6e75b12


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47753.

avatar brianteeman
brianteeman - comment - 10 May 2026

I have tested this item ✅ successfully on 6e75b12


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47753.

avatar krishnagandhicode krishnagandhicode - test_item - 10 May 2026 - Tested successfully
avatar krishnagandhicode
krishnagandhicode - comment - 10 May 2026

I have tested this item ✅ successfully on 6e75b12


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47753.

avatar krishnagandhicode
krishnagandhicode - comment - 10 May 2026

I have tested this item ✅ successfully on 6e75b12


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47753.

avatar richard67 richard67 - change - 10 May 2026
Status Pending Ready to Commit
Labels Added: NPM Resource Changed bug PR-5.4-dev
avatar richard67
richard67 - comment - 10 May 2026

RTC


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47753.

avatar richard67
richard67 - comment - 10 May 2026

RTC


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47753.

avatar muhme muhme - change - 11 May 2026
Labels Added: RTC
avatar muhme muhme - close - 11 May 2026
avatar muhme muhme - merge - 11 May 2026
avatar muhme muhme - change - 11 May 2026
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2026-05-11 06:56:14
Closed_By muhme
avatar muhme
muhme - comment - 11 May 2026

Thank you very much @richard67 for your contribution. Thanks to @brianteeman and @krishnagandhicode for testing.

Add a Comment

Login with GitHub to post a comment