User tests: Successful: Unsuccessful:
Pull Request resolves # .
This pull request (PR) fixes 1 low, 4 moderate and 3 high severity security vulnerabilities in NPM development dependencies reported by npm audit by using npm audit fix.
The remaining moderate severity issues for the qm dependency might be fixable when an npm audit fix is done in the repo of the joomla-cypress. But this will very likely not be ready before 5.4.7-rc1 on Saturday.
It needs a development environment with a git clone, composer and npm.
composer install and npm ci.npm audit to check all dependencies and check the result.npm audit --omit dev to check only non-development dependencies and check the result.npm audit:
# npm audit report
@babel/core <=7.29.0
@babel/core: Arbitrary File Read via sourceMappingURL Comment - https://github.com/advisories/GHSA-4x5r-pxfx-6jf8
fix available via `npm audit fix`
node_modules/@babel/core
brace-expansion 5.0.2 - 5.0.5
Severity: moderate
brace-expansion: Large numeric range defeats documented `max` DoS protection - https://github.com/advisories/GHSA-jxxr-4gwj-5jf2
fix available via `npm audit fix`
node_modules/glob/node_modules/brace-expansion
form-data 4.0.0 - 4.0.5
Severity: high
form-data: CRLF injection in form-data via unescaped multipart field names and filenames - https://github.com/advisories/GHSA-hmw2-7cc7-3qxx
fix available via `npm audit fix`
node_modules/form-data
js-yaml <=4.1.1
Severity: moderate
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases - https://github.com/advisories/GHSA-h67p-54hq-rp68
fix available via `npm audit fix`
node_modules/js-yaml
nodemailer <=9.0.0
Severity: high
Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection - https://github.com/advisories/GHSA-268h-hp4c-crq3
Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization - https://github.com/advisories/GHSA-wqvq-jvpq-h66f
Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception - https://github.com/advisories/GHSA-r7g4-qg5f-qqm2
Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message - https://github.com/advisories/GHSA-p6gq-j5cr-w38f
fix available via `npm audit fix`
node_modules/nodemailer
mailparser 2.3.1 - 3.9.8
Depends on vulnerable versions of nodemailer
node_modules/mailparser
smtp-server 2.0.0 - 3.18.4
Depends on vulnerable versions of nodemailer
node_modules/smtp-server
qs 6.11.1 - 6.15.1
Severity: moderate
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set - https://github.com/advisories/GHSA-q8mj-m7cp-5q26
fix available via `npm audit fix --force`
Will install joomla-cypress@2.0.0, which is a breaking change
node_modules/qs
@cypress/request <=4.0.0
Depends on vulnerable versions of qs
Depends on vulnerable versions of uuid
node_modules/@cypress/request
cypress 13.15.0 - 15.14.2
Depends on vulnerable versions of @cypress/request
node_modules/cypress
node_modules/joomla-cypress/node_modules/cypress
joomla-cypress 1.2.0 - 1.3.1
Depends on vulnerable versions of cypress
node_modules/joomla-cypress
tinymce <=7.9.2
Severity: high
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs - https://github.com/advisories/GHSA-mh5m-5hw4-5c69
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection - https://github.com/advisories/GHSA-vg35-5wq7-3x7w
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments - https://github.com/advisories/GHSA-v98h-vmpc-fpqv
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes - https://github.com/advisories/GHSA-q742-qvgc-gc2f
fix available via `npm audit fix --force`
Will install tinymce@8.6.0, which is a breaking change
node_modules/tinymce
tmp <0.2.6
Severity: high
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape - https://github.com/advisories/GHSA-ph9p-34f9-6g65
fix available via `npm audit fix`
node_modules/tmp
uuid <11.1.1
Severity: moderate
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - https://github.com/advisories/GHSA-w5hq-g745-h8pq
fix available via `npm audit fix --force`
Will install joomla-cypress@2.0.0, which is a breaking change
node_modules/uuid
14 vulnerabilities (1 low, 9 moderate, 4 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
npm audit --omit dev:
# npm audit report
tinymce <=7.9.2
Severity: high
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs - https://github.com/advisories/GHSA-mh5m-5hw4-5c69
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection - https://github.com/advisories/GHSA-vg35-5wq7-3x7w
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments - https://github.com/advisories/GHSA-v98h-vmpc-fpqv
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes - https://github.com/advisories/GHSA-q742-qvgc-gc2f
fix available via `npm audit fix --force`
Will install tinymce@8.6.0, which is a breaking change
node_modules/tinymce
1 high severity vulnerability
To address all issues (including breaking changes), run:
npm audit fix --force
npm audit:
# npm audit report
qs 6.11.1 - 6.15.1
Severity: moderate
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set - https://github.com/advisories/GHSA-q8mj-m7cp-5q26
fix available via `npm audit fix --force`
Will install joomla-cypress@2.0.0, which is a breaking change
node_modules/qs
@cypress/request <=4.0.0
Depends on vulnerable versions of qs
Depends on vulnerable versions of uuid
node_modules/@cypress/request
cypress 13.15.0 - 15.14.2
Depends on vulnerable versions of @cypress/request
node_modules/joomla-cypress/node_modules/cypress
joomla-cypress 1.2.0 - 1.3.1
Depends on vulnerable versions of cypress
node_modules/joomla-cypress
tinymce <=7.9.2
Severity: high
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs - https://github.com/advisories/GHSA-mh5m-5hw4-5c69
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection - https://github.com/advisories/GHSA-vg35-5wq7-3x7w
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments - https://github.com/advisories/GHSA-v98h-vmpc-fpqv
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes - https://github.com/advisories/GHSA-q742-qvgc-gc2f
fix available via `npm audit fix --force`
Will install tinymce@8.6.0, which is a breaking change
node_modules/tinymce
uuid <11.1.1
Severity: moderate
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - https://github.com/advisories/GHSA-w5hq-g745-h8pq
fix available via `npm audit fix --force`
Will install joomla-cypress@2.0.0, which is a breaking change
node_modules/uuid
6 vulnerabilities (5 moderate, 1 high)
To address all issues (including breaking changes), run:
npm audit fix --force
npm audit --omit dev:
No change, same as actual result.
Please select:
Documentation link for guide.joomla.org:
No documentation changes for guide.joomla.org needed
Pull Request link for manual.joomla.org:
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
| Category | ⇒ | NPM Change |
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2026-06-26 04:22:44 |
| Closed_By | ⇒ | muhme | |
| Labels |
Added:
NPM Resource Changed
PR-5.4-dev
|
||
Thank you very much @richard67 for your contribution.