NPM Resource Changed PR-6.1-dev Pending

User tests: Successful: Unsuccessful:

avatar richard67
richard67
25 Jun 2026

Pull Request resolves # .

  • I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

This pull request (PR) fixes 1 low, 8 moderate and 3 high severity security vulnerabilities in NPM development dependencies reported by npm audit by using npm audit fix.

The remaining low severity issues for the esbuild dependency could be fixed by updating that dependency to version 0.28.1.
As it is a major version zero, NPM considers it as unstable, and so npm audit considers it a breaking change which would require the --force option. But the 028.0 and 0.28.1 releases don't show any breaking changes in their change log here: https://github.com/evanw/esbuild/releases.

@HLeithner @tecpromotion Shall we do that esbuild update to version 0.28.1 in 6.1-dev, or shall we play safe and do it in 6.2-dev? It's not really critical as it is a low severity issue for a development dependency.

(By the way, in 5.4-dev we don't have the esbuild issue as we are on an older version there which is not reported by composer audit to be affected by that security issue.)

Testing Instructions

It needs a development environment with a git clone, composer and npm.

  1. If not done before, run composer install and npm ci.
  2. Run npm audit to check all dependencies and check the result.
  3. Run npm audit --omit dev to check only non-development dependencies and check the result.

Actual result BEFORE applying this Pull Request

npm audit:

# npm audit report

@babel/core  <=7.29.0
@babel/core: Arbitrary File Read via sourceMappingURL Comment - https://github.com/advisories/GHSA-4x5r-pxfx-6jf8
fix available via `npm audit fix`
node_modules/@babel/core

brace-expansion  5.0.2 - 5.0.5
Severity: moderate
brace-expansion: Large numeric range defeats documented `max` DoS protection - https://github.com/advisories/GHSA-jxxr-4gwj-5jf2
fix available via `npm audit fix`
node_modules/glob/node_modules/brace-expansion

esbuild  0.27.3 - 0.28.0
esbuild allows arbitrary file read when running the development server on Windows - https://github.com/advisories/GHSA-g7r4-m6w7-qqqr
fix available via `npm audit fix --force`
Will install esbuild@0.28.1, which is a breaking change
node_modules/esbuild

form-data  4.0.0 - 4.0.5
Severity: high
form-data: CRLF injection in form-data via unescaped multipart field names and filenames - https://github.com/advisories/GHSA-hmw2-7cc7-3qxx
fix available via `npm audit fix`
node_modules/form-data

js-yaml  <=4.1.1
Severity: moderate
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases - https://github.com/advisories/GHSA-h67p-54hq-rp68
fix available via `npm audit fix`
node_modules/js-yaml

nodemailer  <=9.0.0
Severity: high
Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection - https://github.com/advisories/GHSA-268h-hp4c-crq3
Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization - https://github.com/advisories/GHSA-wqvq-jvpq-h66f
Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception - https://github.com/advisories/GHSA-r7g4-qg5f-qqm2
Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message - https://github.com/advisories/GHSA-p6gq-j5cr-w38f
fix available via `npm audit fix`
node_modules/nodemailer
  mailparser  2.3.1 - 3.9.8
  Depends on vulnerable versions of nodemailer
  node_modules/mailparser
  smtp-server  2.0.0 - 3.18.4
  Depends on vulnerable versions of nodemailer
  node_modules/smtp-server

qs  6.11.1 - 6.15.1
Severity: moderate
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set - https://github.com/advisories/GHSA-q8mj-m7cp-5q26
fix available via `npm audit fix`
node_modules/qs
  @cypress/request  <=4.0.0
  Depends on vulnerable versions of qs
  Depends on vulnerable versions of uuid
  node_modules/@cypress/request
    cypress  13.15.0 - 15.14.2
    Depends on vulnerable versions of @cypress/request
    node_modules/cypress

tmp  <0.2.6
Severity: high
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape - https://github.com/advisories/GHSA-ph9p-34f9-6g65
fix available via `npm audit fix`
node_modules/tmp

uuid  <11.1.1
Severity: moderate
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - https://github.com/advisories/GHSA-w5hq-g745-h8pq
fix available via `npm audit fix`
node_modules/uuid

13 vulnerabilities (2 low, 8 moderate, 3 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

npm audit --omit dev:

found 0 vulnerabilities

Expected result AFTER applying this Pull Request

npm audit:

# npm audit report

esbuild  0.27.3 - 0.28.0
esbuild allows arbitrary file read when running the development server on Windows - https://github.com/advisories/GHSA-g7r4-m6w7-qqqr
fix available via `npm audit fix --force`
Will install esbuild@0.28.1, which is a breaking change
node_modules/esbuild

1 low severity vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force

npm audit --omit dev:
No change, same as actual result.

Link to documentations

Please select:

  • Documentation link for guide.joomla.org:

  • No documentation changes for guide.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar richard67 richard67 - open - 25 Jun 2026
avatar richard67 richard67 - change - 25 Jun 2026
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 25 Jun 2026
Category NPM Change
avatar richard67 richard67 - change - 25 Jun 2026
The description was changed
avatar richard67 richard67 - edited - 25 Jun 2026
avatar tecpromotion tecpromotion - change - 26 Jun 2026
Status Pending Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2026-06-26 06:04:26
Closed_By tecpromotion
Labels Added: NPM Resource Changed PR-6.1-dev
avatar tecpromotion tecpromotion - close - 26 Jun 2026
avatar tecpromotion tecpromotion - merge - 26 Jun 2026
avatar HLeithner
HLeithner - comment - 26 Jun 2026

thx

Add a Comment

Login with GitHub to post a comment