Skip to content

[5.4] NPM audit fix security vulnerabilities in indirect development dependencies 2025-11-16 #46502

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: 5.4-dev
Choose a base branch
from
Open

[5.4] NPM audit fix security vulnerabilities in indirect development dependencies 2025-11-16 #46502

wants to merge 1 commit into from
+13 −13

Conversation

@richard67
Copy link
Member

@richard67 richard67 commented Nov 26, 2025
edited
Loading

Pull Request for Issue # .

Summary of Changes

This pull request (PR) fixes one high severity and one moderate severity security vulnerability in indirect NPM development dependencies reported by npm audit by using npm audit fix.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

  1. If not done before, run composer install and npm ci.
  2. Run npm audit.
  3. Check the result.

Actual result BEFORE applying this Pull Request

# npm audit report

glob  11.0.0 - 11.0.3
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/glob

js-yaml  4.0.0 - 4.1.0
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/js-yaml

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tinymce

3 vulnerabilities (2 moderate, 1 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Expected result AFTER applying this Pull Request

# npm audit report

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tinymce

1 moderate severity vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

@joomla-cms-bot joomla-cms-bot added NPM Resource Changed This Pull Request can't be tested by Patchtester PR-5.4-dev labels Nov 26, 2025
@richard67 richard67 added the bug label Nov 26, 2025
@richard67 richard67 mentioned this pull request Nov 26, 2025
Open
4 tasks
@richard67 richard67 added this to the Joomla! 5.4.2 milestone Nov 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug NPM Resource Changed This Pull Request can't be tested by Patchtester PR-5.4-dev

Projects

None yet

Milestone

Joomla! 5.4.2

Development

Successfully merging this pull request may close these issues.

2 participants

@richard67 @joomla-cms-bot