Skip to content

[6.0] NPM update indirect development dependencies to fix 19 security vulnerabilities#46826

Merged
Bodge-IT merged 3 commits intojoomla:6.0-devfrom
richard67:6.0-dev-npm-audit-fix-2026-02-01
Feb 4, 2026
Merged

[6.0] NPM update indirect development dependencies to fix 19 security vulnerabilities#46826
Bodge-IT merged 3 commits intojoomla:6.0-devfrom
richard67:6.0-dev-npm-audit-fix-2026-02-01

Conversation

@richard67
Copy link
Copy Markdown
Member

@richard67 richard67 commented Feb 3, 2026
edited
Loading

Pull Request for Issue # .

Summary of Changes

This pull request (PR) fixes 1 critical and 18 high severity security vulnerability in indirect NPM development dependencies reported by npm audit by using npm audit fix.

As they are all development dependencies, they are not shipped with installation or update packages.

@Bodge-IT @softforge It is the same as PR #46825 for 5.4-dev, but here for 6.0-dev so you don't have to handle any merge conflict in the lock file. Simply merge this PR here into your 6.0-dev branch, and when the 5.4-dev PR will be merged and you do an upmerge after that, just ignore all changes in package-lock.json and keep the file from 6.0-dev.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

  1. If not done before, run composer install and npm ci.
  2. Run npm audit.
  3. Check the result.

Actual result BEFORE applying this Pull Request

# npm audit report

@isaacs/brace-expansion  5.0.0
Severity: critical
@isaacs/brace-expansion has Uncontrolled Resource Consumption - https://github.com/advisories/GHSA-7h2j-956f-4vf2
fix available via `npm audit fix`
node_modules/@isaacs/brace-expansion

fast-xml-parser  4.3.6 - 5.3.3
Severity: high
fast-xml-parser has RangeError DoS Numeric Entities Bug - https://github.com/advisories/GHSA-37qj-frw5-hhjh
fix available via `npm audit fix`
node_modules/fast-xml-parser
  @aws-sdk/xml-builder  3.894.0 - 3.972.2
  Depends on vulnerable versions of fast-xml-parser
  node_modules/@aws-sdk/xml-builder
    @aws-sdk/core  3.894.0 - 3.972.0
    Depends on vulnerable versions of @aws-sdk/xml-builder
    node_modules/@aws-sdk/core
      @aws-sdk/client-sesv2  3.894.0 - 3.978.0
      Depends on vulnerable versions of @aws-sdk/core
      Depends on vulnerable versions of @aws-sdk/credential-provider-node
      Depends on vulnerable versions of @aws-sdk/middleware-user-agent
      Depends on vulnerable versions of @aws-sdk/signature-v4-multi-region
      Depends on vulnerable versions of @aws-sdk/util-user-agent-node
      node_modules/@aws-sdk/client-sesv2
      @aws-sdk/client-sso  3.894.0 - 3.972.0
      Depends on vulnerable versions of @aws-sdk/core
      Depends on vulnerable versions of @aws-sdk/middleware-user-agent
      Depends on vulnerable versions of @aws-sdk/util-user-agent-node
      node_modules/@aws-sdk/client-sso
      @aws-sdk/credential-provider-env  3.894.0 - 3.972.0
      Depends on vulnerable versions of @aws-sdk/core
      node_modules/@aws-sdk/credential-provider-env
      @aws-sdk/credential-provider-http  3.894.0 - 3.972.0
      Depends on vulnerable versions of @aws-sdk/core
      node_modules/@aws-sdk/credential-provider-http
        @aws-sdk/credential-provider-node  3.894.0 - 3.972.0
        Depends on vulnerable versions of @aws-sdk/credential-provider-env
        Depends on vulnerable versions of @aws-sdk/credential-provider-http
        Depends on vulnerable versions of @aws-sdk/credential-provider-ini
        Depends on vulnerable versions of @aws-sdk/credential-provider-process
        Depends on vulnerable versions of @aws-sdk/credential-provider-sso
        Depends on vulnerable versions of @aws-sdk/credential-provider-web-identity
        node_modules/@aws-sdk/credential-provider-node
      @aws-sdk/credential-provider-ini  3.894.0 - 3.972.0
      Depends on vulnerable versions of @aws-sdk/core
      Depends on vulnerable versions of @aws-sdk/credential-provider-env
      Depends on vulnerable versions of @aws-sdk/credential-provider-http
      Depends on vulnerable versions of @aws-sdk/credential-provider-process
      Depends on vulnerable versions of @aws-sdk/credential-provider-sso
      Depends on vulnerable versions of @aws-sdk/credential-provider-web-identity
      Depends on vulnerable versions of @aws-sdk/nested-clients
      node_modules/@aws-sdk/credential-provider-ini
      @aws-sdk/credential-provider-process  3.894.0 - 3.972.0
      Depends on vulnerable versions of @aws-sdk/core
      node_modules/@aws-sdk/credential-provider-process
      @aws-sdk/credential-provider-sso  3.894.0 - 3.972.0
      Depends on vulnerable versions of @aws-sdk/client-sso
      Depends on vulnerable versions of @aws-sdk/core
      Depends on vulnerable versions of @aws-sdk/token-providers
      node_modules/@aws-sdk/credential-provider-sso
      @aws-sdk/credential-provider-web-identity  3.894.0 - 3.972.0
      Depends on vulnerable versions of @aws-sdk/core
      Depends on vulnerable versions of @aws-sdk/nested-clients
      node_modules/@aws-sdk/credential-provider-web-identity
      @aws-sdk/middleware-sdk-s3  3.894.0 - 3.972.0
      Depends on vulnerable versions of @aws-sdk/core
      node_modules/@aws-sdk/middleware-sdk-s3
        @aws-sdk/signature-v4-multi-region  3.894.0 - 3.972.0
        Depends on vulnerable versions of @aws-sdk/middleware-sdk-s3
        node_modules/@aws-sdk/signature-v4-multi-region
      @aws-sdk/middleware-user-agent  3.894.0 - 3.972.0
      Depends on vulnerable versions of @aws-sdk/core
      node_modules/@aws-sdk/middleware-user-agent
        @aws-sdk/util-user-agent-node  3.894.0 - 3.972.0
        Depends on vulnerable versions of @aws-sdk/middleware-user-agent
        node_modules/@aws-sdk/util-user-agent-node
      @aws-sdk/nested-clients  3.894.0 - 3.972.0
      Depends on vulnerable versions of @aws-sdk/core
      Depends on vulnerable versions of @aws-sdk/middleware-user-agent
      Depends on vulnerable versions of @aws-sdk/util-user-agent-node
      node_modules/@aws-sdk/nested-clients
      @aws-sdk/token-providers  3.894.0 - 3.972.0
      Depends on vulnerable versions of @aws-sdk/core
      Depends on vulnerable versions of @aws-sdk/nested-clients
      node_modules/@aws-sdk/token-providers

19 vulnerabilities (18 high, 1 critical)

To address all issues, run:
  npm audit fix

Expected result AFTER applying this Pull Request

found 0 vulnerabilities

Link to documentations

Please select:

  • Documentation link for guide.joomla.org:

  • No documentation changes for guide.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

@joomla-cms-bot joomla-cms-bot added NPM Resource Changed This Pull Request can't be tested by Patchtester PR-6.0-dev labels Feb 3, 2026
@richard67 richard67 added the bug label Feb 3, 2026
@brianteeman
Copy link
Copy Markdown
Contributor

brianteeman commented Feb 3, 2026 


@isaacs/brace-expansion  5.0.0
Severity: critical
@isaacs/brace-expansion has Uncontrolled Resource Consumption - https://github.com/advisories/GHSA-7h2j-956f-4vf2
fix available via `npm audit fix`
node_modules/@isaacs/brace-expansion

1 critical severity vulnerability

@richard67
Copy link
Copy Markdown
Member Author

richard67 commented Feb 3, 2026 


@isaacs/brace-expansion  5.0.0
Severity: critical
@isaacs/brace-expansion has Uncontrolled Resource Consumption - https://github.com/advisories/GHSA-7h2j-956f-4vf2
fix available via `npm audit fix`
node_modules/@isaacs/brace-expansion

1 critical severity vulnerability

@brianteeman Oh, that must be brand new. It wasn't there 1 hour ago. Will fix here and in the 5.4-dev PR in a minute.

@richard67 richard67 changed the title [6.0] NPM update indirect development dependencies to fix 18 high severity security vulnerabilities [6.0] NPM update indirect development dependencies to fix 19 security vulnerabilities Feb 3, 2026
@richard67
Copy link
Copy Markdown
Member Author

richard67 commented Feb 3, 2026

Done.

@brianteeman
Copy link
Copy Markdown
Contributor

brianteeman commented Feb 3, 2026

I have tested this item ✅ successfully on 612db74

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46826.

@krishnagandhicode
Copy link
Copy Markdown
Contributor

krishnagandhicode commented Feb 4, 2026
edited
Loading

I have tested this item ✅ successfully on 612db74

Before applying Patch/fix:
Screenshot 2026-02-04 181557

After applying patch/fix:
Screenshot 2026-02-04 181922

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46826.

@richard67
Copy link
Copy Markdown
Member Author

richard67 commented Feb 4, 2026

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46826.

@joomla-cms-bot joomla-cms-bot added the RTC This Pull Request is Ready To Commit label Feb 4, 2026
@Bodge-IT Bodge-IT added this to the Joomla! 6.0.3 milestone Feb 4, 2026
@Bodge-IT Bodge-IT merged commit f42d5c2 into joomla:6.0-dev Feb 4, 2026
51 checks passed
@joomla-cms-bot joomla-cms-bot removed the RTC This Pull Request is Ready To Commit label Feb 4, 2026
@Bodge-IT
Copy link
Copy Markdown
Contributor

Bodge-IT commented Feb 4, 2026

Thank you @richard67 and thanks to @krishnagandhicode and @brianteeman for the testing

@richard67 richard67 deleted the 6.0-dev-npm-audit-fix-2026-02-01 branch February 4, 2026 19:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@softforge softforge

@Bodge-IT Bodge-IT

Labels

bug NPM Resource Changed This Pull Request can't be tested by Patchtester PR-6.0-dev

Projects

None yet

Milestone

Joomla! 6.0.3

Development

Successfully merging this pull request may close these issues.

6 participants

@richard67 @brianteeman @krishnagandhicode @Bodge-IT @softforge @joomla-cms-bot