Skip to content

[5.4] Update npm dependencies#45784

Merged
muhme merged 32 commits intojoomla:5.4-devfrom
richard67:5.4-dev-npm-update-2025-07-25
Aug 4, 2025
Merged

[5.4] Update npm dependencies#45784
muhme merged 32 commits intojoomla:5.4-devfrom
richard67:5.4-dev-npm-update-2025-07-25

Conversation

@richard67
Copy link
Member

@richard67 richard67 commented Jul 25, 2025
edited
Loading

Pull Request for Issue #45731 .

Summary of Changes

This pull request (PR) updates all npm dependencies for which currently updates are available and an update is possible.

It also relaxes the fixed version pin "5.3.3" for bootstrap and updates that dependency to the latest version "5.3.7".

The fixed version constraint was once added with PR #41899 for version "5.3.2" and updated to "5.3.3" with the later PR #44067 , keeping a pin to a fixed version. According to the comments in the former PR, this can be changed back to a caret version constraint "^5.3.7".

For non-development dependencies only minor or patch updates are made. Major updates should be done with Joomla 6.0.0.

For development dependencies, major updates have to be done for the linters (eslint and stylelint) because they are outdated and not maintainer anymore in the version we currently use.

This required to make changes e.g. on js or mjs files which are described in detail in section "Major direct development dependency updates" further below.

With this PR, 2 security vulnerabilities reported by npm audit are fixed. We should check if we can back port them to 5.3-dev.

Major updates to be checked for Joomla 6

The following major updates of direct dependencies are not done with this PR:

Package                        Current  Wanted  Latest
@fortawesome/fontawesome-free    6.7.2   6.7.2   7.0.0
accessibility                   3.0.17  3.0.17   6.1.0
choices.js                       9.1.0   9.1.0  11.1.0
cropperjs                        1.6.2   1.6.2   2.0.1
diff                             5.2.0   5.2.0   8.0.2
dotenv                          16.6.1  16.6.1  17.2.1
es-module-shims                 1.10.1  1.10.1   2.6.1
mediaelement                     5.1.2   5.1.2   7.0.7
qrcode-generator                 1.5.2   1.5.2   2.0.2
shepherd.js                     11.2.0  11.2.0  14.5.1
tinymce                          6.8.6   6.8.6   8.0.1

Minor direct dependency updates

Major direct development dependency updates

eslint from 8.57.1 to 9.32.0

With version 9, the configuration file format of eslint has changed.

Due to the update, lots of // eslint-disable-next-line in some 90 js files have become obsolete.

This has bee done by @dgrammatiko with commit b78c75f , then the new configuration files have been moved to the "build" folder with my commit 34964ca .

Thanks a lot @dgrammatiko for your help.

eslint-plugin-vue has been updated from 9.33.0 to 10.3.0 to match the new eslint version.

eslint-plugin-import has been updated from 2.31.0 to 2.32.0

eslint-config-airbnb-base has been removed because there is no version available which supports eslint version 9.

stylelint from 14.16.1 to 16.23.0

With version 15, stylelint decided to focus on the main purpose of a code linter and leave pure code style checks to external tools. See details below the list of rules here https://stylelint.io/migration-guide/to-15/#deprecated-stylistic-rules .

With version 16, these deprecated rules have been removed, see https://stylelint.io/migration-guide/to-16/#removed-deprecated-stylistic-rules .

That causes "Unknown rule" errors when running npm ci or npm run lint:css, and the GitHub action for the CSS style check fails.

This is fixed by adding the @stylistic/stylelint-plugin as recommended in the migration to 15 guide mentioned above, and changing the rules by adding a @stylistic/ prefix. In this way we can keep these rules, and npm run lint:css should work as before.

In addition, it needed to fix stylelint errors in 3 of our scss files which were reported by the updated version due to its improvements. See this commit in my PR: 3c4b4ff

The following direct development dependencies have been updated to match the new stylelint version:

  • stylelint-config-standard from 24.0.0 to 39.0.0
  • stylelint-order from 5.0.0 to 7.0.0
  • stylelint-scs from 4.7.0 to 6.12.1

Minor direct development dependency updates

  • @babel/core from 7.26.10 to 7.28.0
  • @babel/preset-env from 7.26.9 to 7.28.0
  • @rollup/plugin-commonjs from 28.0.3 to 28.0.6
  • @vue/compiler-sfc from 3.5.8 to 3.5.18
  • commander from 13.1.0 to 14.0.0
  • core-js from 3.41.0 to 3.44.0
  • cypress from 14.2.0 to 14.5.3
  • esbuild from 0.25.1 to 0.25.8
  • jasmine-core from 5.6.0 to 5.9.0
  • lightningcss from 1.29.3 to 1.30.1
  • pg from 8.14.0 to 8.16.3
  • rollup from 4.35.0 to 4.46.1
  • sass-embedded from 1.85.1 to 1.89.2
  • semver from 7.7.1 to 7.7.2

joomla-cypress is only changed from "^1.3.0" to "^1.3.1" in package.json.
In package-lock.json it is already up to date.

Indirect dependencies

The indirect dependencies of the above mentioned direct dependencies have been updated, too, of course.

But I don't think that needs to be reviewed in detail.

Testing Instructions

Reviews

Reviewers please use the GitHub review functionality to approve the changes or request changes.

  1. Review the changes listed above.
  2. Check that GitHub actions of the CI checks are successful.
  3. Check that the patched package for this PR has been successfully build with the Drone CI step.

Real Tests

When having tested, please submit your test result in the issue tracker here https://issues.joomla.org/tracker/joomla-cms/45784 with the blue "Test this" button at the top left corner.

Pre-conditions: It needs a development environment, i.e. a git clone, composer and npm.

The description below assumes that you have a git clone of your fork with origin being the remote for your fork, and upstream being the remote to this repository here, as it is with a standard installation of GitHub desktop or most other Git clients.

  1. Checkout your 5.4-dev branch and make sure that your branch is clean and up to date with the upstream 5.4-dev branch:
git clean -d -x -f
git checkout .
git checkout 5.4-dev
git remote update
git reset --hard upstream/5.4-dev
  1. Run composer install.
  2. Run npm ci.
  3. Check the first lines of output created by the previous command for messages about deprecated dependencies.
    Result: See section "Actual result BEFORE applying this Pull Request" below.
    5, Run npm audit to check for security issues.
    Result: See section "Actual result BEFORE applying this Pull Request" below.
  4. Run npm outdated to check for outdated dependencies.
    Result: See section "Actual result BEFORE applying this Pull Request" below.
  5. Clean up your local clone:
git clean -d -x -f
git checkout .
  1. Fetch this pull request into a local branch on your clone and checkout that branch:
git fetch upstream pull/45784/head:test-pr-45784
git checkout test-pr-45784
  1. Repeat the previous steps 2 to 6.
    For the results of steps 4, 5 and 6, see section "Expected result AFTER applying this Pull Request" below.
  2. Make a new installation.
  3. Check in administrator and site that everything looks as usual.

Actual result BEFORE applying this Pull Request

When running npm ci, 6 deprecated dependencies are reported:

richard@vmubu02:~/lamp/public_html/joomla-cms-5.4-dev$ npm ci
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm warn deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm warn deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.

> joomla@5.4.0 install
> node build/build.mjs --prepare
...

When running npm audit you get 3 vulnerabilities (1 low, 1 moderate, 1 critical):

# npm audit report

brace-expansion  1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/brace-expansion
node_modules/glob/node_modules/brace-expansion

form-data  4.0.0 - 4.0.3
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix`
node_modules/form-data

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.0.1, which is a breaking change
node_modules/tinymce

3 vulnerabilities (1 low, 1 moderate, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

When running npm outdated you get a giant list too long to be mentioned here.

Expected result AFTER applying this Pull Request

When running npm ci, no deprecated dependencies are reported:

richard@vmubu02:~/lamp/public_html/joomla-cms-5.4-dev$ npm ci

> joomla@5.4.0 install
> node build/build.mjs --prepare
...

When running npm audit you only get the moderate vulnerability of tinymce, which can not be fixed without a major update and which we currently circumvent with restrictive settings, e.g. for iframes.

When running npm outdated you get:

Package                        Current  Wanted  Latest  Location                                    Depended by
@fortawesome/fontawesome-free    6.7.2   6.7.2   7.0.0  node_modules/@fortawesome/fontawesome-free  joomla-cms
accessibility                   3.0.17  3.0.17   6.1.0  node_modules/accessibility                  joomla-cms
choices.js                       9.1.0   9.1.0  11.1.0  node_modules/choices.js                     joomla-cms
cropperjs                        1.6.2   1.6.2   2.0.1  node_modules/cropperjs                      joomla-cms
diff                             5.2.0   5.2.0   8.0.2  node_modules/diff                           joomla-cms
dotenv                          16.6.1  16.6.1  17.2.1  node_modules/dotenv                         joomla-cms
es-module-shims                 1.10.1  1.10.1   2.6.1  node_modules/es-module-shims                joomla-cms
mediaelement                     5.1.2   5.1.2   7.0.7  node_modules/mediaelement                   joomla-cms
qrcode-generator                 1.5.2   1.5.2   2.0.2  node_modules/qrcode-generator               joomla-cms
shepherd.js                     11.2.0  11.2.0  14.5.1  node_modules/shepherd.js                    joomla-cms
tinymce                          6.8.6   6.8.6   8.0.1  node_modules/tinymce                        joomla-cms

Administrator and site look as usual.

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

@joomla-cms-bot joomla-cms-bot added NPM Resource Changed This Pull Request can't be tested by Patchtester PR-5.4-dev labels Jul 25, 2025
@brianteeman brianteeman mentioned this pull request Jul 25, 2025
Closed
@brianteeman
Copy link
Contributor

brianteeman commented Jul 25, 2025

the pr is ok but the following outdated packages should be reviewed to see if they can be updated

Package Current Wanted Latest Location
@fortawesome/fontawesome-free 6.7.2 6.7.2 7.0.0 node_modules/@fortawesome/fontawesome-free
accessibility 3.0.17 3.0.17 6.1.1 node_modules/accessibility
choices.js 9.0.1 9.0.1 11.0.1 node_modules/choices.js
commander 13.1.0 13.1.0 14.0.0 node_modules/commander
cropperjs 1.6.2 1.6.2 2.0.0 node_modules/cropperjs
cypress 14.5.0 14.5.0 15.3.0 node_modules/cypress
diff 5.2.0 5.2.0 8.0.1 node_modules/diff
dotenv 16.0.1 16.0.1 16.5.0 node_modules/dotenv
es-module-shims 1.10.1 1.10.1 1.10.4 node_modules/es-module-shims
eslint 8.57.0 8.57.0 9.1.0 node_modules/eslint
eslint-plugin-vue 9.33.0 9.33.0 10.3.0 node_modules/eslint-plugin-vue
mediaelement 4.2.16 4.2.16 5.1.0 node_modules/mediaelement
qrcode-generator 1.5.2 1.5.2 1.5.3 node_modules/qrcode-generator
shepherd.js 11.2.0 11.2.0 14.5.1 node_modules/shepherd.js
stylelint 14.16.1 14.16.1 16.22.0 node_modules/stylelint
stylelint-config-standard 30.0.1 30.0.1 36.0.0 node_modules/stylelint-config-standard
stylelint-order 5.0.0 5.0.0 7.0.0 node_modules/stylelint-order
stylelint-scss 4.7.0 4.7.0 6.12.1 node_modules/stylelint-scss
tinymce 6.8.6 6.8.6 8.0.0 node_modules/tinymce

@richard67
Copy link
Member Author

richard67 commented Jul 25, 2025
edited
Loading

@brianteeman TinyMCE 8 would be a b/c break and in general we will not make major updates in 5.4 if there is any risk for b/c breaks. Such things will be for 6.0.

@brianteeman
Copy link
Contributor

brianteeman commented Jul 25, 2025

thats why i said the list should be reviewed

@richard67 richard67 mentioned this pull request Jul 27, 2025
Merged
4 tasks
@richard67
Copy link
Member Author

richard67 commented Jul 27, 2025

@dgrammatiko Could you check the "Stylelint major update from 14 to 16" part in the description of this PR?

Should we do something to bring back the functionality of the removed style checks? Can we implement own stylelint rules for that? Or integrate another 3rd party tool? Or can we live without these checks?

You can see the removed rules in commit 69ab7a1 .

Thanks in advance for checking.

@richard67
Copy link
Member Author

richard67 commented Jul 27, 2025

@dgrammatiko P.S.: Another problem is updating eslint stuff. I don't get that working here. It fails with unresolved dependencies or something like that. Maybe you can help also with that?

@dgrammatiko
Copy link
Contributor

dgrammatiko commented Jul 27, 2025

I’ll have a look later on today

@richard67
Copy link
Member Author

richard67 commented Jul 27, 2025

@dgrammatiko For the styllint rules they write in https://stylelint.io/migration-guide/to-15/#deprecated-stylistic-rules :

Alternatively, you can continue to enforce stylistic consistency with Stylelint by using the community plugin @stylistic/stylelint-plugin that has migrated the deprecated rules.

So maybe we can just add that plugin and add back the removed rules, e.g. "@stylistic/color-hex-case": "lower",?

@richard67
Copy link
Member Author

richard67 commented Jul 27, 2025

@dgrammatiko Done, I've added the plugin and added back the rules. Will update PR description with that. Stylelint issue solved. What remains is the eslint.

@dgrammatiko
Copy link
Contributor

dgrammatiko commented Jul 27, 2025

At some point we should move to biome and rolldown (rust based). I’m sure I have some code already but probably not for this pr. I’ll look at the eslint when I’m back home

@richard67
Copy link
Member Author

richard67 commented Jul 27, 2025
edited
Loading

Current status of this PR regarding outdated dependencies:

Package                        Current  Wanted  Latest  Location
@fortawesome/fontawesome-free    6.7.2   6.7.2   7.0.0  node_modules/@fortawesome/fontawesome-free
accessibility                   3.0.17  3.0.17   6.1.0  node_modules/accessibility
choices.js                       9.1.0   9.1.0  11.1.0  node_modules/choices.js
cropperjs                        1.6.2   1.6.2   2.0.1  node_modules/cropperjs
diff                             5.2.0   5.2.0   8.0.2  node_modules/diff
es-module-shims                 1.10.1  1.10.1   2.6.1  node_modules/es-module-shims
eslint                          8.57.1  8.57.1  9.32.0  node_modules/eslint
eslint-plugin-vue               9.33.0  9.33.0  10.3.0  node_modules/eslint-plugin-vue
mediaelement                     5.1.2   5.1.2   7.0.7  node_modules/mediaelement
shepherd.js                     11.2.0  11.2.0  14.5.1  node_modules/shepherd.js
tinymce                          6.8.6   6.8.6   8.0.0  node_modules/tinymce

@brianteeman
Copy link
Contributor

brianteeman commented Jul 27, 2025

accessibility, shepherd.js and tinymce definitely can not be updated in this PR

@richard67 richard67 changed the title [5.4] [WiP] Update npm dependencies [5.4] [Security] Update npm dependencies Aug 2, 2025
@richard67 richard67 marked this pull request as ready for review August 2, 2025 12:26
@richard67 richard67 changed the title [5.4] [Security] Update npm dependencies [5.4] Update npm dependencies Aug 2, 2025
@richard67
Copy link
Member Author

richard67 commented Aug 3, 2025

I've reverted the major updates of the non-development dependencies, which were "es-module-shims", "qrcode-generator" and "dotenv", in order to play safe regarding b/c for 5.4. We can reconsider them when doing the npm updates for 6.0.

So this PR is ready for reviews and testing.

@brianteeman
Copy link
Contributor

brianteeman commented Aug 3, 2025

I have tested this item ✅ successfully on 3db258a

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45784.

@brianteeman
Copy link
Contributor

brianteeman commented Aug 3, 2025

confirming the updated versions and the eslint changes. the only css changes present appear to be directly from the bs upgrade which as its a bug fix upgrade all look fine.

thanks for your hard work on this

@Hackwar
Copy link
Member

Hackwar commented Aug 3, 2025

I have tested this item ✅ successfully on 3db258a

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45784.

@richard67
Copy link
Member Author

richard67 commented Aug 3, 2025

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45784.

@joomla-cms-bot joomla-cms-bot added the RTC This Pull Request is Ready To Commit label Aug 3, 2025
@muhme
Copy link
Contributor

muhme commented Aug 4, 2025

✅ Final test before merge, using JBT recreate

  • Branch update and all CI checks passed
  • Check package.json file only minor or patch updates for non-development dependencies
  • Tested npm ci
  • Tested npm run lint:js
  • Tested npm run lint:css
  • Checked npx npm-check-updates --target minor all current available updates are included
  • Checked npm audit only one (already named) moderate severity vulnerability exists with node_modules/tinymce
  • Tested with two small live site clones by updating 5.3.2 with Joomla_5.4.0-alpha4-dev+pr.45784-Development-Update_Package.zip
    • One site with 5 languages, another with > 30 articles and > 1'000 images
    • Short backend and frontend check, checked joomla_update.php

@muhme muhme merged commit 2acc28f into joomla:5.4-dev Aug 4, 2025
40 checks passed
@joomla-cms-bot joomla-cms-bot removed the RTC This Pull Request is Ready To Commit label Aug 4, 2025
@muhme muhme added this to the Joomla! 5.4.0 milestone Aug 4, 2025
@muhme
Copy link
Contributor

muhme commented Aug 4, 2025

Many thanks @richard67 for all the work. Thank you @dgrammatiko for your contribution. Thank you @brianteeman and @Hackwar for testing.

@richard67 richard67 deleted the 5.4-dev-npm-update-2025-07-25 branch August 4, 2025 14:59
@heelc29 heelc29 mentioned this pull request Aug 12, 2025
Open
@richard67 richard67 mentioned this pull request Aug 21, 2025
Closed
@muhme muhme mentioned this pull request Aug 26, 2025
Merged
4 tasks
@richard67 richard67 mentioned this pull request Aug 28, 2025
Merged
4 tasks
@C-Lodder C-Lodder mentioned this pull request Oct 21, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

NPM Resource Changed This Pull Request can't be tested by Patchtester PR-5.4-dev

Projects

None yet

Milestone

Joomla! 5.4.0

Development

Successfully merging this pull request may close these issues.

6 participants

@richard67 @brianteeman @dgrammatiko @Hackwar @muhme @joomla-cms-bot