[5.3] Security updates for composer and npm dependencies for the upcoming 5.3.4 release by richard67 · Pull Request #45984 · joomla/joomla-cms

richard67 · 2025-08-26T09:34:22Z

Pull Request for Issue # .

Summary of Changes

This pull request (PR) updates composer and npm dependencies to fix security issues reported by composer audit and npm audit.

Composer dependency "enshrined/svg-sanitize" is updated from 0.21.0 to 0.22.0, which is just one version step.
Details see https://github.com/darylldoyle/svg-sanitizer/releases/tag/0.22.0
Npm dependency "brace-expansion" is updated from 1.1.11 to 1.1.12, and the indirect dependency of the "glob" dependency to the same is updated from 2.0.1 to 2.0.2.
Details see https://github.com/juliangruber/brace-expansion/releases/tag/v1.1.12
and https://github.com/juliangruber/brace-expansion/releases/tag/v2.0.2
Npm dependency "form_data" is updated from 4.0.2 to 4.0.4
Details see https://github.com/form-data/form-data/releases/tag/v4.0.3
and https://github.com/form-data/form-data/releases/tag/v4.0.4
Npm dependency "tmp" is updated from 0.2.3 to 0.2.5.
Details see https://github.com/raszi/node-tmp/releases/tag/v0.2.4
and https://github.com/raszi/node-tmp/releases/tag/v0.2.5

Testing Instructions

It needs a development environment (git clone + composer + npm) for testing.

For the actual result use the 5.3-dev branch of this repository (or of your clone if that is up to date with the upstream).

For the expected result you can fetch this PR into a local branch with a name of your choice, here as example "":

git fetch upstream pull/45984/head:test-pr-45984
git checkout test-pr-45984

Clean up the branch from any previous tests:

git clean -d -x -f
git checkout .

Run composer install.
Run npm ci.
Run composer audit.
Run npm audit.

Actual result BEFORE applying this Pull Request

composer audit:

Found 2 security vulnerability advisories affecting 2 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package           | enshrined/svg-sanitize                                                           |
| Severity          | medium                                                                           |
| CVE               | CVE-2025-55166                                                                   |
| Title             | svg-sanitizer Bypasses Attribute Sanitization                                    |
| URL               | https://github.com/advisories/GHSA-22wq-q86m-83fh                                |
| Affected versions | <0.22.0                                                                          |
| Reported at       | 2025-08-12T20:20:58+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | web-auth/webauthn-lib                                                            |
| Severity          | medium                                                                           |
| CVE               | CVE-2024-39912                                                                   |
| Title             | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames  |
| URL               | https://github.com/advisories/GHSA-875x-g8p7-5w27                                |
| Affected versions | >=4.5.0,<4.9.0                                                                   |
| Reported at       | 2024-07-15T16:37:49+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package         | Suggested Replacement                                                            |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib                                                            |
+---------------------------+----------------------------------------------------------------------------------+

npm audit:

# npm audit report

brace-expansion  1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/brace-expansion
node_modules/glob/node_modules/brace-expansion

form-data  4.0.0 - 4.0.3
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix`
node_modules/form-data

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.0.2, which is a breaking change
node_modules/tinymce

tmp  <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
fix available via `npm audit fix`
node_modules/tmp

4 vulnerabilities (2 low, 1 moderate, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Expected result AFTER applying this Pull Request

composer audit:

Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | web-auth/webauthn-lib                                                            |
| Severity          | medium                                                                           |
| CVE               | CVE-2024-39912                                                                   |
| Title             | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames  |
| URL               | https://github.com/advisories/GHSA-875x-g8p7-5w27                                |
| Affected versions | >=4.5.0,<4.9.0                                                                   |
| Reported at       | 2024-07-15T16:37:49+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package         | Suggested Replacement                                                            |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib                                                            |
+---------------------------+----------------------------------------------------------------------------------+

npm audit:

# npm audit report

tinymce  <7.0.0
Severity: moderate
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78
fix available via `npm audit fix --force`
Will install tinymce@8.0.2, which is a breaking change
node_modules/tinymce

1 moderate severity vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force

Additional information

In the 5.4-dev and the 6.0-dev branches, only the composer dependency "enshrined/svg-sanitize" and the npm dependency "tmp" need to be updated like here, all other dependencies handled in this PR here are already up to date in the mentioned branches. This will be handled with the upmerges by the release managers.

Link to documentations

Please select:

Documentation link for docs.joomla.org:
No documentation changes for docs.joomla.org needed
Pull Request link for manual.joomla.org:
No documentation changes for manual.joomla.org needed

HLeithner · 2025-08-27T18:08:55Z

thanks

* [5.3] Translation Update #45983 * [5.3] Fix copy / paste error in form fields #45979 * [5.3] Security updates for composer and npm dependencies for the upcoming 5.3.4 release #45984 * [5.3] Update joomla/filesystem to fix extension uploads when post_max_size is 0 #45986

* [5.3] Translation Update (#45983) * Fix copy / paste error (#45979) * [5.3] Security updates for composer and npm dependencies for the upcoming 5.3.4 release (#45984) * composer update enshrined/svg-sanitize to 0.22.0 * npm fix audit issues * [5.3] Update TinyMCE from 6.8.5 to 6.8.6 to fix TinyMCE issue with cursor placement (#45987) * npm update tinymce from 6.8.5 to 6.8.6 * Update version in tinymce.xml * [5.4] Revert b/c breaking change in AbstractView::get (#45940) * Revert "[5.4] Replace deprecation AbstractView::get() in layouts (#45702)" * This reverts commit f1906ba. * [5.3] Update joomla/filesystem to fix extension uploads when post_max_size is 0 (#45986) * [5.4] Upmerge 2025-08-28 (#45997) * [5.3] Translation Update #45983 * [5.3] Fix copy / paste error in form fields #45979 * [5.3] Security updates for composer and npm dependencies for the upcoming 5.3.4 release #45984 * [5.3] Update joomla/filesystem to fix extension uploads when post_max_size is 0 #45986 * [5.4] Composer update joomla/filesystem to 3.2.0 (#45999) * Update content-hash

richard67 added 2 commits August 26, 2025 10:35

composer update enshrined/svg-sanitize to 0.22.0

6b44033

npm fix audit issues

9afc1ec

joomla-cms-bot added Composer Dependency Changed NPM Resource Changed This Pull Request can't be tested by Patchtester PR-5.3-dev labels Aug 26, 2025

richard67 added the bug label Aug 26, 2025

HLeithner merged commit 88c0c12 into joomla:5.3-dev Aug 27, 2025
66 of 67 checks passed

richard67 added this to the Joomla! 5.3.4 milestone Aug 27, 2025

richard67 deleted the 5.3-dev-dependency-update-2025-08-26 branch August 27, 2025 21:03

richard67 mentioned this pull request Aug 28, 2025

[5.4] Upmerge 2025-08-28 #45997

Merged

4 tasks

richard67 mentioned this pull request Aug 28, 2025

[6.0] Upmerge 2025-08-28 #46001

Merged

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[5.3] Security updates for composer and npm dependencies for the upcoming 5.3.4 release#45984

[5.3] Security updates for composer and npm dependencies for the upcoming 5.3.4 release#45984
HLeithner merged 2 commits intojoomla:5.3-devfrom
richard67:5.3-dev-dependency-update-2025-08-26

richard67 commented Aug 26, 2025 •

edited

Loading

Uh oh!

Uh oh!

HLeithner commented Aug 27, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

richard67 commented Aug 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary of Changes

Testing Instructions

Actual result BEFORE applying this Pull Request

Expected result AFTER applying this Pull Request

Additional information

Link to documentations

Uh oh!

Uh oh!

HLeithner commented Aug 27, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

richard67 commented Aug 26, 2025 •

edited

Loading