[5.4] NPM audit fix security vulnerabilities in indirect development dependencies 2025-11-26

[richard67]

Pull Request for Issue # .

Summary of Changes

This pull request (PR) fixes one high severity and one moderate severity security vulnerability in indirect NPM development dependencies reported by npm audit by using npm audit fix.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

1. If not done before, run composer install and npm ci.
2. Run npm audit.
3. Check the result.

Actual result BEFORE applying this Pull Request

# npm audit report

glob  11.0.0 - 11.0.3
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/glob

js-yaml  4.0.0 - 4.1.0
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/js-yaml

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tinymce

3 vulnerabilities (2 moderate, 1 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Expected result AFTER applying this Pull Request

# npm audit report

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tinymce

1 moderate severity vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force

Link to documentations

Please select:

• Documentation link for docs.joomla.org:

• No documentation changes for docs.joomla.org needed

• Pull Request link for manual.joomla.org:

• No documentation changes for manual.joomla.org needed

[muhme]

I have tested this item ✅ successfully on f93544b

• Seen the 3 vulnerabilities (1 high, 2 moderate) before
• Applied PR with gh pr checkout 46502 and running npm audit report shows only the one moderate tinymce severity vulnerability remaining, as expected
• Using node v24.11.1, saved package-lock.json file for comparisation, gone back with git switch -, did npm audit fix by own and got exactly the same package-lock.json file
• The license change for two packages from ISC to BlueOak-1.0.0 looks for my simple understanding as in OSI-compatible spirit.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46502.}

[muhme]

Thank you @richard67 for your contribution.