RTC NPM Resource Changed PR-5.4-dev Pending

User tests: Successful: Unsuccessful:

avatar brianteeman
brianteeman
14 May 2026

Pull Request resolves # .

  • I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

This pull request (PR) fixes 1 high severity security vulnerabilities in indirect NPM dependencies reported by npm audit by using npm audit fix.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

If not done before, run composer install and npm ci.
Run npm audit.
Check the result.

Actual result BEFORE applying this Pull Request

PS D:\repos\j51> npm audit
# npm audit report

systeminformation  4.17.0 - 5.31.5
Severity: high
Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name - https://github.com/advisories/GHSA-hvx9-hwr7-wjj9
fix available via `npm audit fix`
node_modules/systeminformation

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.5.0, which is a breaking change
node_modules/tinymce

2 vulnerabilities (1 moderate, 1 high)

Expected result AFTER applying this Pull Request

PS D:\repos\j51> npm audit
# npm audit report

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.5.0, which is a breaking change
node_modules/tinymce

1 moderate severity vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force


```### Link to documentations
Please select:
- [ ] Documentation link for guide.joomla.org: <link>
- [ ] No documentation changes for guide.joomla.org needed

- [ ] Pull Request link for manual.joomla.org: <link>
- [ ] No documentation changes for manual.joomla.org needed
avatar brianteeman brianteeman - open - 14 May 2026
avatar brianteeman brianteeman - change - 14 May 2026
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 14 May 2026
Category NPM Change
avatar richard67
richard67 - comment - 14 May 2026

It is only a development dependency not shown when using

npm audit --omit dev

So it won't make it into the 5.4.6 we have just prepared.

avatar richard67 richard67 - change - 14 May 2026
Status Pending Ready to Commit
Labels Added: NPM Resource Changed PR-5.4-dev
avatar richard67
richard67 - comment - 14 May 2026

RTC as it has 2 approvals by maintainers.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47771.

avatar richard67
richard67 - comment - 14 May 2026

RTC as it has 2 approvals by maintainers.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47771.

avatar muhme muhme - change - 27 May 2026
Labels Added: RTC
avatar muhme
muhme - comment - 27 May 2026

No final checks before merge, as all CI checks passed and this npm update is already two weeks old. We will update it again before the next release.

avatar muhme muhme - change - 27 May 2026
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2026-05-27 14:03:41
Closed_By muhme
avatar muhme muhme - close - 27 May 2026
avatar muhme muhme - merge - 27 May 2026
avatar muhme
muhme - comment - 27 May 2026

Thank you very much @brianteeman for your contribution. Thanks to @richard67 and @tecpromotion for the review.

Add a Comment

Login with GitHub to post a comment