User tests: Successful: Unsuccessful:
Pull Request resolves # .
This pull request (PR) fixes 1 low, 8 moderate and 3 high severity security vulnerabilities in NPM development dependencies reported by npm audit by using npm audit fix.
The remaining low severity issues for the esbuild dependency could be fixed by updating that dependency to version 0.28.1.
As it is a major version zero, NPM considers it as unstable, and so npm audit considers it a breaking change which would require the --force option. But the 028.0 and 0.28.1 releases don't show any breaking changes in their change log here: https://github.com/evanw/esbuild/releases.
@HLeithner @tecpromotion Shall we do that esbuild update to version 0.28.1 in 6.1-dev, or shall we play safe and do it in 6.2-dev? It's not really critical as it is a low severity issue for a development dependency.
(By the way, in 5.4-dev we don't have the esbuild issue as we are on an older version there which is not reported by composer audit to be affected by that security issue.)
It needs a development environment with a git clone, composer and npm.
composer install and npm ci.npm audit to check all dependencies and check the result.npm audit --omit dev to check only non-development dependencies and check the result.npm audit:
# npm audit report
@babel/core <=7.29.0
@babel/core: Arbitrary File Read via sourceMappingURL Comment - https://github.com/advisories/GHSA-4x5r-pxfx-6jf8
fix available via `npm audit fix`
node_modules/@babel/core
brace-expansion 5.0.2 - 5.0.5
Severity: moderate
brace-expansion: Large numeric range defeats documented `max` DoS protection - https://github.com/advisories/GHSA-jxxr-4gwj-5jf2
fix available via `npm audit fix`
node_modules/glob/node_modules/brace-expansion
esbuild 0.27.3 - 0.28.0
esbuild allows arbitrary file read when running the development server on Windows - https://github.com/advisories/GHSA-g7r4-m6w7-qqqr
fix available via `npm audit fix --force`
Will install esbuild@0.28.1, which is a breaking change
node_modules/esbuild
form-data 4.0.0 - 4.0.5
Severity: high
form-data: CRLF injection in form-data via unescaped multipart field names and filenames - https://github.com/advisories/GHSA-hmw2-7cc7-3qxx
fix available via `npm audit fix`
node_modules/form-data
js-yaml <=4.1.1
Severity: moderate
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases - https://github.com/advisories/GHSA-h67p-54hq-rp68
fix available via `npm audit fix`
node_modules/js-yaml
nodemailer <=9.0.0
Severity: high
Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection - https://github.com/advisories/GHSA-268h-hp4c-crq3
Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization - https://github.com/advisories/GHSA-wqvq-jvpq-h66f
Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception - https://github.com/advisories/GHSA-r7g4-qg5f-qqm2
Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message - https://github.com/advisories/GHSA-p6gq-j5cr-w38f
fix available via `npm audit fix`
node_modules/nodemailer
mailparser 2.3.1 - 3.9.8
Depends on vulnerable versions of nodemailer
node_modules/mailparser
smtp-server 2.0.0 - 3.18.4
Depends on vulnerable versions of nodemailer
node_modules/smtp-server
qs 6.11.1 - 6.15.1
Severity: moderate
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set - https://github.com/advisories/GHSA-q8mj-m7cp-5q26
fix available via `npm audit fix`
node_modules/qs
@cypress/request <=4.0.0
Depends on vulnerable versions of qs
Depends on vulnerable versions of uuid
node_modules/@cypress/request
cypress 13.15.0 - 15.14.2
Depends on vulnerable versions of @cypress/request
node_modules/cypress
tmp <0.2.6
Severity: high
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape - https://github.com/advisories/GHSA-ph9p-34f9-6g65
fix available via `npm audit fix`
node_modules/tmp
uuid <11.1.1
Severity: moderate
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - https://github.com/advisories/GHSA-w5hq-g745-h8pq
fix available via `npm audit fix`
node_modules/uuid
13 vulnerabilities (2 low, 8 moderate, 3 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
npm audit --omit dev:
found 0 vulnerabilities
npm audit:
# npm audit report
esbuild 0.27.3 - 0.28.0
esbuild allows arbitrary file read when running the development server on Windows - https://github.com/advisories/GHSA-g7r4-m6w7-qqqr
fix available via `npm audit fix --force`
Will install esbuild@0.28.1, which is a breaking change
node_modules/esbuild
1 low severity vulnerability
To address all issues (including breaking changes), run:
npm audit fix --force
npm audit --omit dev:
No change, same as actual result.
Please select:
Documentation link for guide.joomla.org:
No documentation changes for guide.joomla.org needed
Pull Request link for manual.joomla.org:
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
| Category | ⇒ | NPM Change |
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2026-06-26 06:04:26 |
| Closed_By | ⇒ | tecpromotion | |
| Labels |
Added:
NPM Resource Changed
PR-6.1-dev
|
||
thx