Joomla! Issue Tracker | Joomla! CMS #47771

NPM Resource Changed PR-5.4-dev

Ready to Commit
Medium
Build: 5.4-dev
# 47771
Diff
brianteeman:5.4-dev-3

Pending

User tests: Successful: Unsuccessful:

brianteeman
14 May 2026

Pull Request resolves # .

I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

This pull request (PR) fixes 1 high severity security vulnerabilities in indirect NPM dependencies reported by npm audit by using npm audit fix.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

If not done before, run composer install and npm ci.
Run npm audit.
Check the result.

Actual result BEFORE applying this Pull Request

PS D:\repos\j51> npm audit
# npm audit report

systeminformation  4.17.0 - 5.31.5
Severity: high
Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name - https://github.com/advisories/GHSA-hvx9-hwr7-wjj9
fix available via `npm audit fix`
node_modules/systeminformation

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.5.0, which is a breaking change
node_modules/tinymce

2 vulnerabilities (1 moderate, 1 high)

Expected result AFTER applying this Pull Request

PS D:\repos\j51> npm audit
# npm audit report

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.5.0, which is a breaking change
node_modules/tinymce

1 moderate severity vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force


```### Link to documentations
Please select:
- [ ] Documentation link for guide.joomla.org: <link>
- [ ] No documentation changes for guide.joomla.org needed

- [ ] Pull Request link for manual.joomla.org: <link>
- [ ] No documentation changes for manual.joomla.org needed

6c6cd2a 14 May 2026

[5.4] npm update

brianteeman - open - 14 May 2026

brianteeman - change - 14 May 2026

Status

New

⇒

Pending

joomla-cms-bot - change - 14 May 2026

Category

⇒

NPM Change

richard67 - comment - 14 May 2026

It is only a development dependency not shown when using

npm audit --omit dev

So it won't make it into the 5.4.6 we have just prepared.

richard67 - change - 14 May 2026

Status	Pending	⇒	Ready to Commit
Labels	Added: NPM Resource Changed PR-5.4-dev

richard67 - comment - 14 May 2026

RTC as it has 2 approvals by maintainers.

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47771.}

richard67 - comment - 14 May 2026

RTC as it has 2 approvals by maintainers.

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/47771.}

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#47771] - [5.4] npm update

Summary of Changes

Testing Instructions

Actual result BEFORE applying this Pull Request

Expected result AFTER applying this Pull Request

Add a Comment