Skip to content

[6.0] NPM audit fix security vulnerabilities in indirect development dependencies 2025-11-26 #46503

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: 6.0-dev
Choose a base branch
from
Open

[6.0] NPM audit fix security vulnerabilities in indirect development dependencies 2025-11-26 #46503

wants to merge 2 commits into from
+13 −13

Conversation

@richard67
Copy link
Member

@richard67 richard67 commented Nov 26, 2025

Pull Request for Issue # .

Summary of Changes

This pull request (PR) fixes one high severity and one moderate severity security vulnerability in indirect NPM development dependencies reported by npm audit by using npm audit fix.

Same as PR #46502 for 5.4-dev, but here for 6.0-dev to avoid ugly merge conflicts for the upmerge after that.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

  1. If not done before, run composer install and npm ci.
  2. Run npm audit.
  3. Check the result.

Actual result BEFORE applying this Pull Request

# npm audit report

glob  11.0.0 - 11.0.3
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/glob

js-yaml  4.0.0 - 4.1.0
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/js-yaml

2 vulnerabilities (1 moderate, 1 high)

To address all issues, run:
  npm audit fix

Expected result AFTER applying this Pull Request

found 0 vulnerabilities

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

@joomla-cms-bot joomla-cms-bot added NPM Resource Changed This Pull Request can't be tested by Patchtester PR-6.0-dev labels Nov 26, 2025
@richard67 richard67 added the bug label Nov 26, 2025
@richard67 richard67 added this to the Joomla! 6.0.2 milestone Nov 26, 2025
@muhme muhme changed the title [6.0] NPM audit fix security vulnerabilities in indirect development dependencies 2025-11-16 [6.0] NPM audit fix security vulnerabilities in indirect development dependencies 2025-11-26 Nov 29, 2025
@muhme
Copy link
Contributor

muhme commented Nov 29, 2025
edited
Loading

I have tested this item ✅ successfully on 08325f1

  • Using node v24.11.1
  • Seen the 2 vulnerabilities (1 high, 1 moderate) before
  • Applied PR with gh pr checkout 46502 and running npm audit reports 0 vulnerabilities
  • Saved package-lock.json file for comparisation, gone back with git switch -, did npm audit fix by own and got exactly the same package-lock.json file
  • The license change for two packages from ISC to BlueOak-1.0.0 looks for my simple understanding as in OSI-compatible spirit.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46503.

@richard67 richard67 mentioned this pull request Nov 29, 2025
Merged
@brianteeman
Copy link
Contributor

brianteeman commented Nov 30, 2025

I have tested this item ✅ successfully on 08325f1

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46503.

@joomla-cms-bot joomla-cms-bot removed NPM Resource Changed This Pull Request can't be tested by Patchtester bug PR-6.0-dev labels Nov 30, 2025
@alikon
Copy link
Contributor

alikon commented Nov 30, 2025

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46503.

@joomla-cms-bot joomla-cms-bot removed this from the Joomla! 6.0.2 milestone Nov 30, 2025
@joomla-cms-bot joomla-cms-bot added the RTC This Pull Request is Ready To Commit label Nov 30, 2025
@alikon alikon added NPM Resource Changed This Pull Request can't be tested by Patchtester bug PR-6.0-dev labels Nov 30, 2025
@alikon alikon added this to the Joomla! 6.0.2 milestone Nov 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug NPM Resource Changed This Pull Request can't be tested by Patchtester PR-6.0-dev RTC This Pull Request is Ready To Commit

Projects

None yet

Milestone

Joomla! 6.0.2

Development

Successfully merging this pull request may close these issues.

5 participants

@richard67 @muhme @brianteeman @alikon @joomla-cms-bot