[5.4] Update Composer and NPM dependencies for 5.4.0-rc1

[richard67]

Pull Request for Issue # .

Summary of Changes

This pull request (PR) updates Composer and NPM dependencies for the upcoming 5.4.0-rc1 release.

All updates of non-development dependencies are minor or patch version updates only, there are no major updates.

For development dependencies some major updates are made. They work for the CMS core and produce b/c results, and we do not ship them with our packages.

The most notable change is the NPM dependency update of bootstrap from 5.3.7 to 5.3.8.

It adds the following to our template.css files:

[type="search"]::-webkit-search-cancel-button {
  cursor: pointer;
  filter: grayscale();
}

In addition it adds a flex-shrink: 0; property to the .spinner-grow, .spinner-border { sections.

See twbs/bootstrap#41639 and twbs/bootstrap#41654 for details.

Besides this I have not seen any notable changes, only bug fixes and improvements.

There may meanwhile be again updates for some dependencies available, but this PR here is in synch with the merged 6.0-dev PR #46100 for the common update for both branches, so I will not update this PR here but if necessary make new ones later.

Updated dependencies

Composer Dependencies (non-dev)

• composer/ca-bundle 1.5.7 -> 1.5.8
  https://github.com/composer/ca-bundle/releases/tag/1.5.8
  composer/ca-bundle@1.5.7...1.5.8

• symfony/console 6.4.23 -> 6.4.25
  https://github.com/symfony/console/releases/tag/v6.4.24
  https://github.com/symfony/console/releases/tag/v6.4.25
  symfony/console@v6.4.23...v6.4.25

• symfony/error-handler 6.4.23 -> 6.4.24
  https://github.com/symfony/error-handler/releases/tag/v6.4.24
  symfony/error-handler@v6.4.23...v6.4.24

• symfony/ldap 6.4.13 -> 6.4.24
  https://github.com/symfony/ldap/releases/tag/v6.4.24
  symfony/ldap@v6.4.13...v6.4.24

• symfony/options-resolver 6.4.16 -> 6.4.25
  https://github.com/symfony/options-resolver/releases/tag/v6.4.24
  https://github.com/symfony/options-resolver/releases/tag/v6.4.25
  symfony/options-resolver@v6.4.16...v6.4.25

• symfony/polyfill-mbstring 1.32.0 -> 1.33.0
  No changes, only new tag.
  symfony/polyfill-mbstring@v1.32.0...v1.33.0

• symfony/web-link 6.4.22 -> 6.4.24
  https://github.com/symfony/web-link/releases/tag/v6.4.24
  symfony/web-link@v6.4.22...v6.4.24

• symfony/yaml 6.4.23 -> 6.4.25
  https://github.com/symfony/yaml/releases/tag/v6.4.24
  https://github.com/symfony/yaml/releases/tag/v6.4.25
  symfony/yaml@v6.4.23...v6.4.25

NPM Dependencies (non-dev)

• @codemirror/autocomplete 6.18.6 -> 6.18.7
  https://github.com/codemirror/autocomplete/releases/tag/6.18.7
  codemirror/autocomplete@6.18.6...6.18.7

• @codemirror/lang-html 6.4.9 -> 6.4.10
  https://github.com/codemirror/lang-html/releases/tag/6.4.10
  codemirror/lang-html@6.4.9...6.4.10

• @codemirror/language 6.11.2 -> 6.11.3
  https://github.com/codemirror/language/releases/tag/6.11.3
  codemirror/language@6.11.2...6.11.3

• @codemirror/view 6.38.1 -> 6.38.2
  https://github.com/codemirror/view/releases/tag/6.38.2
  codemirror/view@6.38.1...6.38.2

• bootstrap 5.3.7 -> 5.3.8
  https://github.com/twbs/bootstrap/releases/tag/v5.3.8
  twbs/bootstrap@v5.3.7...v5.3.8

• sa11y 4.1.10 -> 4.2.3
  https://github.com/ryersondmp/sa11y/releases/tag/4.2.0
  https://github.com/ryersondmp/sa11y/releases/tag/4.2.1
  https://github.com/ryersondmp/sa11y/releases/tag/4.2.2
  https://github.com/ryersondmp/sa11y/releases/tag/4.2.3
  ryersondmp/sa11y@4.1.10...4.2.3

• vue 3.5.18 -> 3.5.21
  https://github.com/vuejs/core/releases/tag/v3.5.19
  https://github.com/vuejs/core/releases/tag/v3.5.20
  https://github.com/vuejs/core/releases/tag/v3.5.21
  vuejs/core@v3.5.18...v3.5.21

Composer Dependencies (dev)

• friendsofphp/php-cs-fixer 3.84.0 -> 3.87.2
  https://github.com/PHP-CS-Fixer/PHP-CS-Fixer/releases/tag/v3.85.0
  https://github.com/PHP-CS-Fixer/PHP-CS-Fixer/releases/tag/v3.85.1
  https://github.com/PHP-CS-Fixer/PHP-CS-Fixer/releases/tag/v3.86.0
  https://github.com/PHP-CS-Fixer/PHP-CS-Fixer/releases/tag/v3.87.0
  https://github.com/PHP-CS-Fixer/PHP-CS-Fixer/releases/tag/v3.87.1
  https://github.com/PHP-CS-Fixer/PHP-CS-Fixer/releases/tag/v3.87.2
  PHP-CS-Fixer/PHP-CS-Fixer@v3.84.0...v3.87.2

• phpstan/phpstan 2.1.19 -> 2.1.28
  https://github.com/phpstan/phpstan/releases/tag/2.1.20
  https://github.com/phpstan/phpstan/releases/tag/2.1.21
  https://github.com/phpstan/phpstan/releases/tag/2.1.22
  https://github.com/phpstan/phpstan/releases/tag/2.1.23
  https://github.com/phpstan/phpstan/releases/tag/2.1.24
  https://github.com/phpstan/phpstan/releases/tag/2.1.25
  https://github.com/phpstan/phpstan/releases/tag/2.1.26
  https://github.com/phpstan/phpstan/releases/tag/2.1.27
  https://github.com/phpstan/phpstan/releases/tag/2.1.28
  phpstan/phpstan@2.1.19...2.1.28

• phpunit/phpunit 9.6.23 -> 9.6.27
  https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.24
  https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.25
  https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.26
  https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.27
  sebastianbergmann/phpunit@9.6.23...9.6.27

• squizlabs/php_codesniffer 3.13.2 -> 3.13.4
  https://github.com/PHPCSStandards/PHP_CodeSniffer/releases/tag/3.13.3
  https://github.com/PHPCSStandards/PHP_CodeSniffer/releases/tag/3.13.4
  PHPCSStandards/PHP_CodeSniffer@3.13.2...3.13.4

NPM Dependencies (dev)

• @babel/core 7.28.0 -> 7.28.4
  https://github.com/babel/babel/releases/tag/v7.28.1
  https://github.com/babel/babel/releases/tag/v7.28.2
  https://github.com/babel/babel/releases/tag/v7.28.3
  https://github.com/babel/babel/releases/tag/v7.28.4
  babel/babel@v7.28.0...v7.28.4

• @babel/preset-env 7.28.0 -> 7.28.3
  https://github.com/babel/babel/releases/tag/v7.28.3
  babel/babel@v7.28.0...v7.28.3

• @vue/compiler-sfc 3.5.18 -> 3.5.21
  https://github.com/vuejs/core/releases/tag/v3.5.19
  https://github.com/vuejs/core/releases/tag/v3.5.20
  https://github.com/vuejs/core/releases/tag/v3.5.21
  vuejs/core@v3.5.18...v3.5.21

• commander 14.0.0 -> 14.0.1
  https://github.com/tj/commander.js/releases/tag/v14.0.1
  tj/commander.js@v14.0.0...v14.0.1

• core-js 3.44.0 -> 3.45.1
  https://github.com/zloirock/core-js/releases/tag/v3.45.0
  https://github.com/zloirock/core-js/releases/tag/v3.45.1
  zloirock/core-js@v3.44.0...v3.45.1

• cypress 14.5.3 -> 15.2.0
  https://github.com/cypress-io/cypress/releases/tag/v14.5.4
  https://github.com/cypress-io/cypress/releases/tag/v15.0.0
  https://github.com/cypress-io/cypress/releases/tag/v15.1.0
  https://github.com/cypress-io/cypress/releases/tag/v15.2.0
  cypress-io/cypress@v14.5.3...v15.2.0
  See also https://docs.cypress.io/app/references/changelog

• esbuild 0.25.8 -> 0.25.10
  https://github.com/evanw/esbuild/releases/tag/v0.25.9
  https://github.com/evanw/esbuild/releases/tag/v0.25.10
  evanw/esbuild@v0.25.8...v0.25.10

• eslint 9.32.0 -> 9.35.0
  https://github.com/eslint/eslint/releases/tag/v9.33.0
  https://github.com/eslint/eslint/releases/tag/v9.34.0
  https://github.com/eslint/eslint/releases/tag/v9.35.0
  eslint/eslint@v9.32.0...v9.35.0

• fs-extra 11.3.0 -> 11.3.2
  https://github.com/jprichardson/node-fs-extra/releases/tag/11.3.1
  https://github.com/jprichardson/node-fs-extra/releases/tag/11.3.2
  jprichardson/node-fs-extra@11.3.0...11.3.2

• jasmine-core 5.9.0 -> 5.10.0
  https://github.com/jasmine/jasmine/releases/tag/v5.10.0
  jasmine/jasmine@v5.9.0...v5.10.0

• rollup 4.46.2 -> 4.51.0
  https://github.com/rollup/rollup/releases/tag/v4.46.3
  https://github.com/rollup/rollup/releases/tag/v4.46.4
  https://github.com/rollup/rollup/releases/tag/v4.47.0
  https://github.com/rollup/rollup/releases/tag/v4.47.1
  https://github.com/rollup/rollup/releases/tag/v4.48.0
  https://github.com/rollup/rollup/releases/tag/v4.48.1
  https://github.com/rollup/rollup/releases/tag/v4.49.0
  https://github.com/rollup/rollup/releases/tag/v4.50.0
  https://github.com/rollup/rollup/releases/tag/v4.50.1
  https://github.com/rollup/rollup/releases/tag/v4.50.2
  https://github.com/rollup/rollup/releases/tag/v4.51.0
  rollup/rollup@v4.46.2...v4.51.0

• sass-embedded 1.89.2 -> 1.92.1
  https://github.com/sass/embedded-host-node/releases/tag/1.90.0
  https://github.com/sass/embedded-host-node/releases/tag/1.91.0
  https://github.com/sass/embedded-host-node/releases/tag/1.92.0
  https://github.com/sass/embedded-host-node/releases/tag/1.92.1
  sass/embedded-host-node@1.89.2...1.92.1

• stylelint 16.23.0 -> 16.24.0
  https://github.com/stylelint/stylelint/releases/tag/16.23.1
  https://github.com/stylelint/stylelint/releases/tag/16.24.0
  stylelint/stylelint@16.23.0...16.24.0

Testing Instructions

Test 1: Check package build - Variant 1

This test shall verify that building the packages (which includes composer install and npm ci) still works and the installation package shows only the expected differences compared to a package created without this PR.

It requires to have a development environment (git clone, composer, npm) with runs either on a unixoid OS (Linux, Mac), or if on Windows it needs WSL2 and a Linux filesystem for the git clone.

If you don't have all that or are not familiar with development and package building, skip this test variant 1 and go to the next section for variant 2.

The description below assumes that you have a git clone of your fork with origin being the remote for your fork, and upstream being the remote to this repository here, as it is with a standard installation of GitHub desktop or most other Git clients.

1. Checkout your 5.4-dev branch and make sure that your branch is clean and up to date with the upstream 5.4-dev branch:

git clean -d -x -f
git checkout .
git checkout 5.4-dev
git remote update
git reset --hard upstream/5.4-dev

2. Build packages from the current branch (i.e. remote=HEAD) and redirect the output into a log file:

php ./build/build.php --remote=HEAD 2>&1 | tee ./tmp/build.log

3. Check that the created packages in the build/tmp/packages folder are complete and have plausible sizes:

ls -al ./build/tmp/packages/

4. Save the full installation zip package build/tmp/packages/Joomla_5.4.0-beta4-dev-Development-Full_Package.zip somewhere outside your git clone, e.g. in a folder test-pr-46099-before your home directory:

md ~/test-pr-46099-before
cp ./build/tmp/packages/Joomla_5.4.0-beta4-dev-Development-Full_Package.zip ~/test-pr-46099-before/

5. Copy the log file from step 2 to the same place:

cp ./tmp/build.log ~/test-pr-46099-before/

6. Clean up the branch

git clean -d -x -f
git checkout .

7. Fetch this pull request into a new local branch and check out that branch:

git fetch upstream pull/46099/head:test-pr-46099
git checkout test-pr-46099

8. Same as steps 2 to 5, but with a different folder outside of the git clone to save the results:

php ./build/build.php --remote=HEAD 2>&1 | tee ./tmp/build.log
ls -al ./build/tmp/packages/
md ~/test-pr-46099-after
cp ./build/tmp/packages/Joomla_5.4.0-beta4-dev-Development-Full_Package.zip ~/test-pr-46099-after/
cp ./tmp/build.log ~/test-pr-46099-after/

9. Unpack the full installation zip packages (one without this PR and one with this PR) into 2 separate folders.
10. Compare the content of the packages with a good comparison tool, e.g. Beyond Compare, TotalCommander, Meld, ...
    Result: See section "Expected result AFTER applying this Pull Request" below.
11. Compare the 2 logs (one without and one with this PR) from the previous steps.
    Result: See section "Expected result AFTER applying this Pull Request" below.

Test 1: Check package build - Variant 2

If you have executed the test in the previous section "Test 1: Check package build - Variant 1", you can skip the test here and directly continue with the next section "Test 2: Check if Joomla still works".

1. Download the latest 5.4 nightly build full installation zip package from here:
   https://developer.joomla.org/nightlies/Joomla_5.4.0-beta4-dev-Development-Full_Package.zip
2. Download the full installation zip package created by Drone for this PR from here:
   https://artifacts.joomla.org/drone/joomla/joomla-cms/5.4-dev/46099/downloads/88167/Joomla_5.4.0-beta4-dev+pr.46099-Development-Full_Package.zip
3. Unpack the packages downloaded in the previous 2 steps into 2 separate folders.
4. Compare the content of the packages with a good comparison tool, e.g. Beyond Compare, TotalCommander, Meld, ...
   Result: See section "Expected result AFTER applying this Pull Request" below.
5. Download the log of the "Packages" step of Drone CI for the last commit in the 5.4-dev branch of the CMS repo.
   You can find it here: https://ci.joomla.org/joomla/joomla-cms/88010/1/2
   Select the "Packager" step at the left side, then use the download button at the top right corner of the console lo area.
6. Do the same for the log of the "Packages" step of Drone CI for this PR.
   You can find it here: https://ci.joomla.org/joomla/joomla-cms/88103/1/2
   Select the "Packager" step at the left side, then use the download button at the top right corner of the console lo area.
7. Compare the 2 logs downloaded in the 2 previous steps.
   Result: See section "Expected result AFTER applying this Pull Request" below.

Test 2: Check if Joomla still works

1. Make a new installation with the full installation zip package for this PR, using the package from the previous test 1.
2. Check that everything looks and works as usual.
   Result: See section "Expected result AFTER applying this Pull Request" below.

Actual result BEFORE applying this Pull Request

Not applicable.

Expected result AFTER applying this Pull Request

When comparing the 2 installation zip packages, only the following differences can be found:

• Updated dependencies in the libraries/vendor folder or subfolders
• Notable differences mentioned in section "Summary of Changes" for the "bootstrap" update

Besides that, only the usual changes between 2 consecutive builds can be found, i.e. different ordering of assets in joomla.assets.json files and versions in css or js files.

When comparing the log files you can see the different versions in the composer install step.

The npm ci step may differ much due to the random order of processing dependencies and compiling assets due to the asynchronous execution of the dependency installation and the compilation steps.

But there are no new warnings shown at the beginning of that step, and at the end the summary is the same, too.

The installation made with the installation package for this PR looks and works as well as before.

There may meanwhile be again updates for some dependencies available, but this PR here is in synch with the merged 6.0-dev PR #46100 for the common update for both branches, so I will not update this PR here but if necessary make new ones later.

Link to documentations

Please select:

• Documentation link for docs.joomla.org:

• No documentation changes for docs.joomla.org needed

• Pull Request link for manual.joomla.org:

• No documentation changes for manual.joomla.org needed

[brianteeman]

Package	Current	Wanted	Latest	Location
eslint	9.35.0	9.36.0	9.36.0	node_modules/eslint
rollup	4.51.0	4.52.0	4.52.0	node_modules/rollup
sass-embedded	1.92.1	1.93.0	1.93.0	node_modules/sass-embedded

[richard67]

@brianteeman Please see the updated description (and also the end of the expected result in the testin instructions):

There may meanwhile be again updates for some dependencies available, but this PR here is in synch with the merged 6.0-dev PR #46100 for the common update for both branches, so I will not update this PR here but if necessary make new ones later.

[richard67]

P.S.: Another things is that these dependencies have updates every few days, some even daily, so we will for sure not be 100% up to date when we build RC 1.

[brianteeman]

Sorry I cannot mark this as successful/unsuccessful - maybe its me not understanding or following the instructions but my comparison of a local checkout composer and npm ci and the compared to the download from this repo shows very different css. Specifically the local build css in the media folders have comments and headers that are all removed from the downloaded version

example

[richard67]

@brianteeman That's just the copyright comment in the minified versions. We have already merged the same dependency update for bootstrap into 6.0-dev with PR #46100 .

@dgrammatiko Do you have an idea why that has changed (see Brian's screenshot in his comment above, left hand side = with this PR, right hand side = without it)? Is it due to an update for the stylelint or rollup or something like that, or is it due to the bootstrap update?

[brianteeman]

Then it is wrong as we MUST NOT remove the copyright statements ever. It is a breach of the licence

There were other changes in the CSS I observed such as removal of comments (which can be useful) and element ordering but thats just taste

The js files maintained the copyright headers if that helps you find the problem

[richard67]

Then it is wrong as we MUST NOT remove the copyright statements ever. It is a breach of the licence

There were other changes in the CSS I observed such as removal of comments (which can be useful) and element ordering but thats just taste

The js files maintained the copyright headers if that helps you find the problem

@brianteeman I see its vice versa to what I saw first. Right hand side is with this PR, left hand side without?

[brianteeman]

Left hand side was the result of a checkout of this branch followed by composer install and npm i
Right hand side was the downloaded package from this PR

[brianteeman]

but as i also said " maybe its me not understanding"

[richard67]

Left hand side was the result of a checkout of this branch followed by composer install and npm i Right hand side was the downloaded package from this PR

@brianteeman Hmm, the testing instructions say to compare the packages with and without this PR after a build.php run or from a download. The difference between running composer install and npm ci and building a package might be that the package build has the additional step to create the gzipped resources. And possibly also the versioning is different.

What happens if you clean up your branch and then change back to the normasl 5.4-dev branch and compare that with a normal 5.4-dev nightly build? I would assume you see the same differences, and that was not changed with this PR here.

[richard67]

When I compare packages I do not see these differences.

[brianteeman]

I will check again this afternoon

[brianteeman]

so i just checked the 5.3.3 release package and in that package I also observe that the copyright header is removed from media\vendor\bootstrap\css\bootstrap.min.css when it is present in a local build. So there is a problem somewhere with the build scripts as we must not remove the copyright headers. This also matches with a report from a user #45674 (comment)

[richard67]

@brianteeman But it's not related to this PR here, right? It happens with and without this PR, comparing a developer build and a package, right?

[richard67]

If I'm right and it's not related to this PR here, we should handle it separately with an extra issue.

[brianteeman]

yes thats right which is why I just raised an issue for it #46140

[richard67]

Thanks.

[richard67]

@brianteeman Something wrong with this PR? Or jost no time to continue testing?

[brianteeman]

No time and I won't have any until Thursday. https://share.google/WpQsDbV3vTnRpKLFG

[rdeutz]

Looked at all changes. I think composer changes are ok. For the NPM changes, I haven't spotted something that should effect us.

[muhme]

I have tested this item ✅ successfully on 0111d84

* ✅ Test 1. variant 1 with JBT 5.4-dev against gh pr checkout 46099

• Roughly compared build output with diff, after unifying the build number
  • Changed and more deprecations from .scss files
• A rough comparison of both versions unzipped
  • After removing of librariesand media/vendor folders 37 files differ
  • Some file content exist with different content orders e.g. media/system/joomla.asset.json (as usually between build runs)
  • Something is added as the already named changes with NPM dependency update of bootstrap from 5.3.7 to 5.3.8.
  • With the @vue/shared update there are changes in media/com_media/js/media-manager.js file
• ✅ Test 2. Updated existing 5.3.3 live sites clones
  • Enabled 'Debug System' and 'Log Almost Everything'
  • Updated with Joomla_5.4.0-beta4-dev+pr.46099-Development-Update_Package.zip
  • 1st site clone (multilingual site with 5 lanaguages and zitat-service.de module)
    • Frontend is still working
    • Created a user and an article
    • Checked joomla and PHP log
  • 2nd site clone (small site with some articles and > 1.000 images)
    • Frontend is still working
    • Created a user and an article
    • Checked joomla and PHP log

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46099.}

[muhme]

Big thank you @richard67 for all the detailed work with this PR. Thank you @rdeutz for your review. Thank you @dgrammatiko and @brianteeman for supporting this PR.