Advice on how to handle the following reported vulnerabilities?

General
,
1

Advice on how to handle the following reported vulnerabilities? Seems that node-red-node-email has some issues? Or am I reading the following wrong?

root@eccentric:/home/nodered/.node-red# npm audit fix
npm warn audit fix semver@5.3.0 node_modules/node-red-node-email/node_modules/semver
npm warn audit fix semver@5.3.0 is a bundled dependency of
npm warn audit fix semver@5.3.0 node-red-node-email@5.0.0 at node_modules/node-red-node-email
npm warn audit fix semver@5.3.0 It cannot be fixed automatically.
npm warn audit fix semver@5.3.0 Check for updates to the node-red-node-email package.
npm warn audit fix utf7@1.0.2 node_modules/node-red-node-email/node_modules/utf7
npm warn audit fix utf7@1.0.2 is a bundled dependency of
npm warn audit fix utf7@1.0.2 node-red-node-email@5.0.0 at node_modules/node-red-node-email
npm warn audit fix utf7@1.0.2 It cannot be fixed automatically.
npm warn audit fix utf7@1.0.2 Check for updates to the node-red-node-email package.
npm warn audit fix imap@0.8.19 node_modules/node-red-node-email/node_modules/imap
npm warn audit fix imap@0.8.19 is a bundled dependency of
npm warn audit fix imap@0.8.19 node-red-node-email@5.0.0 at node_modules/node-red-node-email
npm warn audit fix imap@0.8.19 It cannot be fixed automatically.
npm warn audit fix imap@0.8.19 Check for updates to the node-red-node-email package.

up to date, audited 396 packages in 9s

58 packages are looking for funding
  run `npm fund` for details

# npm audit report

semver  <5.7.2
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install node-red-node-email@0.1.12, which is a breaking change
node_modules/node-red-node-email/node_modules/semver
  utf7  >=1.0.2
  Depends on vulnerable versions of semver
  node_modules/node-red-node-email/node_modules/utf7
    imap  >=0.8.18
    Depends on vulnerable versions of utf7
    node_modules/node-red-node-email/node_modules/imap
      node-red-node-email  >=0.1.13
      Depends on vulnerable versions of imap
      node_modules/node-red-node-email

4 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
2

That is actually better than I expected! :slight_smile:

Just to note that it is not safe to do an audit "fix" since it can break things. The correct approach is to raise an issue with the node's author(s) on GitHub.

In this case, node-red-node-email comes from the Node-RED core devs themselves.

The issue you have found, though listed as "high" severity, in the context of Node-RED would be relatively low I believe. I don't have that node in use since I use an IMAP library directly in a function node for the one process I need IMAP access for since it is a relatively complex, multi-step process better done that way.

3

Fixed in 5.0.1
(npm now allow "overrides" so you/we can bump internal packages to (hopefully) safe versions)

1 Like
4

Thanks guys. Appreciate it.