[6.0] NPM audit fix security vulnerabilities in development dependencies 2026-01-10

[richard67]

Pull Request for Issue # .

Summary of Changes

This pull request (PR) fixes two high and one low severity security vulnerabilities in NPM development dependencies reported by npm audit by using npm audit fix.

@Bodge-IT @softforge Same as PR #46662 for 5.4-dev, but here for 6.0-dev to avoid ugly merge conflicts for the upmerge after that. Just ignore all changes in the "package.json" and "package-lock.json" files when doing an upmerge after the 5.4-dev PR has been merged.

@HLeithner @tecpromotion In 6.1-dev the changes from this PR here have already been made with the NPM dependency update, so simply ignore the changes when doing your upmerge after this PR here has been merged into 6.0-dev.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

1. If not done before, run composer install and npm ci.
2. Run npm audit.
3. Check the result.

Actual result BEFORE applying this Pull Request

# npm audit report

@smithy/config-resolver  <4.4.0
AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value - https://github.com/advisories/GHSA-6475-r3vj-m8vf
fix available via `npm audit fix`
node_modules/@smithy/config-resolver

qs  <6.14.1
Severity: high
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
fix available via `npm audit fix`
node_modules/qs
  @cypress/request  <=3.0.9
  Depends on vulnerable versions of qs
  node_modules/@cypress/request

3 vulnerabilities (1 low, 2 high)

To address all issues, run:
  npm audit fix

Expected result AFTER applying this Pull Request

found 0 vulnerabilities

Link to documentations

Please select:

• Documentation link for docs.joomla.org:

• No documentation changes for docs.joomla.org needed

• Pull Request link for manual.joomla.org:

• No documentation changes for manual.joomla.org needed

[brianteeman]

I have tested this item ✅ successfully on 8eb2372

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46663.}

[Bodge-IT]

I have tested this item ✅ successfully on 8eb2372

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46663.}

[richard67]

RTC

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46663.}

[softforge]

Thank you @richard67 as always and to the testers for their diligence