Skip to content

[6.0] NPM audit fix one moderate severity security vulnerability#46759

Merged
softforge merged 1 commit intojoomla:6.0-devfrom
richard67:6.0-dev-npm-audit-fix-2026-01-25
Jan 25, 2026
Merged

[6.0] NPM audit fix one moderate severity security vulnerability#46759
softforge merged 1 commit intojoomla:6.0-devfrom
richard67:6.0-dev-npm-audit-fix-2026-01-25

Conversation

@richard67
Copy link
Copy Markdown
Member

@richard67 richard67 commented Jan 25, 2026

Pull Request for Issue # .

Summary of Changes

This pull request (PR) fixes one moderate severity security vulnerability in NPM dependencies reported by npm audit by using npm audit fix.

This updates the indirect development dependency "loadsh" from 4.7.21 to 4.7.23.

@Bodge-IT @softforge The same update is also part of PR #46758 for 5.4-dev. This PR here will avoid a merge conflict for your upmerge after that 5.4-dev PR has been merged. Just merge this PR here before doing your upmerge, and in the upmerge completely ignore changes in package.json and package-lock.json.

@HLeithner @tecpromotion This update will also be needed in 6.1-dev. I can make a separate PR for that to avoid merge conflicts for your upmerge, but if you plan do do another, general NPM update anway, it would not need my separate 6.1-dev PR.

In addition, this PR also updates the version of the "diff" dependency in the dependencies for Joomla. This was forgotten with PR #46713 . I should just have run an npm ci after the update when I had made that PR.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

  1. If not done before, run composer install and npm ci.
  2. Run npm audit.
  3. Check the result.

Actual result BEFORE applying this Pull Request

# npm audit report

lodash  4.0.0 - 4.17.21
Severity: moderate
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions - https://github.com/advisories/GHSA-xxjr-mmjv-4gpg
fix available via `npm audit fix`
node_modules/lodash

1 moderate severity vulnerability

To address all issues, run:
  npm audit fix

Expected result AFTER applying this Pull Request

found 0 vulnerabilities

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

@joomla-cms-bot joomla-cms-bot added NPM Resource Changed This Pull Request can't be tested by Patchtester PR-6.0-dev labels Jan 25, 2026
@richard67 richard67 changed the title [5.4] NPM audit fix one moderate severity security vulnerability [6.0] NPM audit fix one moderate severity security vulnerability Jan 25, 2026
@richard67 richard67 added the bug label Jan 25, 2026
@richard67 richard67 mentioned this pull request Jan 25, 2026
Merged
4 tasks
@richard67 richard67 added this to the Joomla! 6.0.3 milestone Jan 25, 2026
@Bodge-IT
Copy link
Copy Markdown
Contributor

Bodge-IT commented Jan 25, 2026

I have tested this item ✅ successfully on daaa982

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46759.

@softforge softforge merged commit 4b63ccb into joomla:6.0-dev Jan 25, 2026
51 of 52 checks passed
@softforge
Copy link
Copy Markdown
Contributor

softforge commented Jan 25, 2026

Thank you @richard67 for your work and the tester for their test

@richard67 richard67 deleted the 6.0-dev-npm-audit-fix-2026-01-25 branch January 25, 2026 19:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@softforge softforge

@Bodge-IT Bodge-IT

Labels

bug NPM Resource Changed This Pull Request can't be tested by Patchtester PR-6.0-dev

Projects

None yet

Milestone

Joomla! 6.0.3

Development

Successfully merging this pull request may close these issues.

4 participants

@richard67 @Bodge-IT @softforge @joomla-cms-bot