NPM Resource Changed PR-5.4-dev Pending

User tests: Successful: Unsuccessful:

avatar richard67
richard67
25 Jun 2026

Pull Request resolves # .

  • I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

This pull request (PR) fixes 1 low, 4 moderate and 3 high severity security vulnerabilities in NPM development dependencies reported by npm audit by using npm audit fix.

The remaining moderate severity issues for the qm dependency might be fixable when an npm audit fix is done in the repo of the joomla-cypress. But this will very likely not be ready before 5.4.7-rc1 on Saturday.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

  1. If not done before, run composer install and npm ci.
  2. Run npm audit to check all dependencies and check the result.
  3. Run npm audit --omit dev to check only non-development dependencies and check the result.

Actual result BEFORE applying this Pull Request

npm audit:

# npm audit report

@babel/core  <=7.29.0
@babel/core: Arbitrary File Read via sourceMappingURL Comment - https://github.com/advisories/GHSA-4x5r-pxfx-6jf8
fix available via `npm audit fix`
node_modules/@babel/core

brace-expansion  5.0.2 - 5.0.5
Severity: moderate
brace-expansion: Large numeric range defeats documented `max` DoS protection - https://github.com/advisories/GHSA-jxxr-4gwj-5jf2
fix available via `npm audit fix`
node_modules/glob/node_modules/brace-expansion

form-data  4.0.0 - 4.0.5
Severity: high
form-data: CRLF injection in form-data via unescaped multipart field names and filenames - https://github.com/advisories/GHSA-hmw2-7cc7-3qxx
fix available via `npm audit fix`
node_modules/form-data

js-yaml  <=4.1.1
Severity: moderate
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases - https://github.com/advisories/GHSA-h67p-54hq-rp68
fix available via `npm audit fix`
node_modules/js-yaml

nodemailer  <=9.0.0
Severity: high
Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection - https://github.com/advisories/GHSA-268h-hp4c-crq3
Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization - https://github.com/advisories/GHSA-wqvq-jvpq-h66f
Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception - https://github.com/advisories/GHSA-r7g4-qg5f-qqm2
Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message - https://github.com/advisories/GHSA-p6gq-j5cr-w38f
fix available via `npm audit fix`
node_modules/nodemailer
  mailparser  2.3.1 - 3.9.8
  Depends on vulnerable versions of nodemailer
  node_modules/mailparser
  smtp-server  2.0.0 - 3.18.4
  Depends on vulnerable versions of nodemailer
  node_modules/smtp-server

qs  6.11.1 - 6.15.1
Severity: moderate
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set - https://github.com/advisories/GHSA-q8mj-m7cp-5q26
fix available via `npm audit fix --force`
Will install joomla-cypress@2.0.0, which is a breaking change
node_modules/qs
  @cypress/request  <=4.0.0
  Depends on vulnerable versions of qs
  Depends on vulnerable versions of uuid
  node_modules/@cypress/request
    cypress  13.15.0 - 15.14.2
    Depends on vulnerable versions of @cypress/request
    node_modules/cypress
    node_modules/joomla-cypress/node_modules/cypress
      joomla-cypress  1.2.0 - 1.3.1
      Depends on vulnerable versions of cypress
      node_modules/joomla-cypress

tinymce  <=7.9.2
Severity: high
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs - https://github.com/advisories/GHSA-mh5m-5hw4-5c69
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection - https://github.com/advisories/GHSA-vg35-5wq7-3x7w
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments - https://github.com/advisories/GHSA-v98h-vmpc-fpqv
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes - https://github.com/advisories/GHSA-q742-qvgc-gc2f
fix available via `npm audit fix --force`
Will install tinymce@8.6.0, which is a breaking change
node_modules/tinymce

tmp  <0.2.6
Severity: high
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape - https://github.com/advisories/GHSA-ph9p-34f9-6g65
fix available via `npm audit fix`
node_modules/tmp

uuid  <11.1.1
Severity: moderate
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - https://github.com/advisories/GHSA-w5hq-g745-h8pq
fix available via `npm audit fix --force`
Will install joomla-cypress@2.0.0, which is a breaking change
node_modules/uuid

14 vulnerabilities (1 low, 9 moderate, 4 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

npm audit --omit dev:

# npm audit report

tinymce  <=7.9.2
Severity: high
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs - https://github.com/advisories/GHSA-mh5m-5hw4-5c69
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection - https://github.com/advisories/GHSA-vg35-5wq7-3x7w
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments - https://github.com/advisories/GHSA-v98h-vmpc-fpqv
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes - https://github.com/advisories/GHSA-q742-qvgc-gc2f
fix available via `npm audit fix --force`
Will install tinymce@8.6.0, which is a breaking change
node_modules/tinymce

1 high severity vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force

Expected result AFTER applying this Pull Request

npm audit:

# npm audit report

qs  6.11.1 - 6.15.1
Severity: moderate
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set - https://github.com/advisories/GHSA-q8mj-m7cp-5q26
fix available via `npm audit fix --force`
Will install joomla-cypress@2.0.0, which is a breaking change
node_modules/qs
  @cypress/request  <=4.0.0
  Depends on vulnerable versions of qs
  Depends on vulnerable versions of uuid
  node_modules/@cypress/request
    cypress  13.15.0 - 15.14.2
    Depends on vulnerable versions of @cypress/request
    node_modules/joomla-cypress/node_modules/cypress
      joomla-cypress  1.2.0 - 1.3.1
      Depends on vulnerable versions of cypress
      node_modules/joomla-cypress

tinymce  <=7.9.2
Severity: high
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs - https://github.com/advisories/GHSA-mh5m-5hw4-5c69
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection - https://github.com/advisories/GHSA-vg35-5wq7-3x7w
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments - https://github.com/advisories/GHSA-v98h-vmpc-fpqv
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes - https://github.com/advisories/GHSA-q742-qvgc-gc2f
fix available via `npm audit fix --force`
Will install tinymce@8.6.0, which is a breaking change
node_modules/tinymce

uuid  <11.1.1
Severity: moderate
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - https://github.com/advisories/GHSA-w5hq-g745-h8pq
fix available via `npm audit fix --force`
Will install joomla-cypress@2.0.0, which is a breaking change
node_modules/uuid

6 vulnerabilities (5 moderate, 1 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

npm audit --omit dev:
No change, same as actual result.

Link to documentations

Please select:

  • Documentation link for guide.joomla.org:

  • No documentation changes for guide.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar richard67 richard67 - open - 25 Jun 2026
avatar richard67 richard67 - change - 25 Jun 2026
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 25 Jun 2026
Category NPM Change
avatar muhme muhme - change - 26 Jun 2026
Status Pending Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2026-06-26 04:22:44
Closed_By muhme
Labels Added: NPM Resource Changed PR-5.4-dev
avatar muhme muhme - close - 26 Jun 2026
avatar muhme muhme - merge - 26 Jun 2026
avatar muhme
muhme - comment - 26 Jun 2026

Thank you very much @richard67 for your contribution.

Add a Comment

Login with GitHub to post a comment