Skip to content

[6.0] NPM audit fix security vulnerabilities in indirect development dependencies #46430

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Bodge-IT merged 1 commit into from
Nov 10, 2025
Merged

[6.0] NPM audit fix security vulnerabilities in indirect development dependencies #46430

Bodge-IT merged 1 commit into from
Nov 10, 2025

Conversation

@richard67
Copy link
Member

@richard67 richard67 commented Nov 9, 2025

Pull Request for Issue # .

Summary of Changes

This pull request (PR) fixes one low severity and 3 moderate severity security vulnerabilities in indirect NPM development dependencies reported by npm audit by using npm audit fix.

Same as PR #46429 for 5.4-dev, but here for 6.0-dev to avoid ugly merge conflicts for the upmerge after that.

Testing Instructions

It needs a development environment with a git clone, composer and npm.

  1. If not done before, run composer install and npm ci.
  2. Run npm audit.
  3. Check the result.

Actual result BEFORE applying this Pull Request

# npm audit report

min-document  <=2.19.0
min-document vulnerable to prototype pollution - https://github.com/advisories/GHSA-rx8g-88g5-qh64
fix available via `npm audit fix`
node_modules/min-document

nodemailer  <7.0.7
Severity: moderate
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict - https://github.com/advisories/GHSA-mm7p-fcc7-pg87
fix available via `npm audit fix`
node_modules/nodemailer
node_modules/smtp-server/node_modules/nodemailer
  mailparser  2.3.1 - 3.7.4
  Depends on vulnerable versions of nodemailer
  node_modules/mailparser
  smtp-server  2.0.0 - 3.14.0
  Depends on vulnerable versions of nodemailer
  node_modules/smtp-server

4 vulnerabilities (1 low, 3 moderate)

To address all issues, run:
  npm audit fix

Expected result AFTER applying this Pull Request

found 0 vulnerabilities

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

@joomla-cms-bot joomla-cms-bot added NPM Resource Changed This Pull Request can't be tested by Patchtester PR-6.0-dev labels Nov 9, 2025
@richard67
Copy link
Member Author

richard67 commented Nov 9, 2025

@brianteeman Could you also test this one here? Thanks in advance.

@brianteeman
Copy link
Contributor

brianteeman commented Nov 9, 2025

I have tested this item ✅ successfully on d8d6e46

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46430.

@muhme
Copy link
Contributor

muhme commented Nov 10, 2025

I have tested this item ✅ successfully on d8d6e46

Tested with JBT

  • Seen the 4 vulnerabilities (1 low, 3 moderate) before
  • Applied PR with gh pr checkout 46430 and running npm audit report found 0 vulnerabilities
  • Gone back with git switch -, updated NPM 11.6.2 with npm install -g npm@latest and did npm audit fix by own and got exactly the same package-lock.json file
  • npm ci is still working and reports found 0 vulnerabilities
    This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46430.

@muhme muhme removed NPM Resource Changed This Pull Request can't be tested by Patchtester PR-6.0-dev labels Nov 10, 2025
@muhme
Copy link
Contributor

muhme commented Nov 10, 2025

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46430.

@joomla-cms-bot joomla-cms-bot added the RTC This Pull Request is Ready To Commit label Nov 10, 2025
@muhme muhme added NPM Resource Changed This Pull Request can't be tested by Patchtester PR-6.0-dev labels Nov 10, 2025
@Bodge-IT Bodge-IT merged commit 6c40472 into joomla:6.0-dev Nov 10, 2025
43 checks passed
@joomla-cms-bot joomla-cms-bot removed the RTC This Pull Request is Ready To Commit label Nov 10, 2025
@Bodge-IT
Copy link
Contributor

Bodge-IT commented Nov 10, 2025

Thanks @richard67 for the PR and thanks testers for ...tests!

@Bodge-IT Bodge-IT added this to the Joomla! 6.0.1 milestone Nov 10, 2025
@richard67 richard67 deleted the 6.0-dev-npm-audit-fix-2025-11-09 branch November 10, 2025 17:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@muhme muhme muhme approved these changes

Assignees

No one assigned

Labels

NPM Resource Changed This Pull Request can't be tested by Patchtester PR-6.0-dev

Projects

None yet

Milestone

Joomla! 6.0.1

Development

Successfully merging this pull request may close these issues.

5 participants

@richard67 @brianteeman @muhme @Bodge-IT @joomla-cms-bot