WHy would you want to do this ?
The whole point of docker is that a container is meant to be immutable - i think you have missed the whole point.
You want something changed/updated IN a container - then you pull down a new version - YOU DO NOT update inside a container - this makes no sense
Craig
I'm not arguing your point. My objective was not to update in the container, but to learn the extent of the exec node. I just happened to pick the update as my excercise.
As it turns out - you are absolutely correct - it is a stupid excercise. Allthough Jan's advice allowed me to elevate user node-red (I appreciate what I learned from him), it still doesn't allow me to complete the task.
As it turns out - the NodeRed container cannot be updated that way. Even if I log into the container as root, and manually update NPM as well as node-red, it fails. Even though it does confirm the update, I still have to log out and restart the container, which will discard the update and just relaunch the original image (i.e. previous version). I guess this is by design, as I have many other containers that can be updated from within the container (PiHole, Logitech Media Server, etc.)
So I guess there are no absolute trouth here, but still some best practices.
Thank you all for your valuable help and guidance.
I learned a lot today even though I had to capitulate 
Well actually there is, it is a fundamental concept of containers.
An image is build from a Dockerfile, the dockerfile describes how the image should be build, users, paths, versions etc. when you execute docker run, the image+container are generated. You should consider this container as immutable, in reality it is not, but you should assume this.
Everything related to the container which needs to be mutable, should live - outside - the container, in a volume, bind mount etc.
To update to another version, you should execute a docker pull image-name:version/tag, which in turn creates a new image/container. Stop the old one and run the new version with same parameters as the previous one, now you have new container with the same data as before, but with a different version.
as I have many other containers that can be updated from within the container (PiHole, Logitech Media Server, etc.)
You are not updating the containers, but only the software within them (which comes with their own set of issues).
Indeed, thanks for putting that straight - and, that's of course what I meant and also what I want to do. I didn't even know that updating the container versus updating the SW within it, are to separate issues (?)
Yes they are, many docker images use docker-compose to make it even easier and like dave pointed out, with watchtower they can be automagically updated.
If you read the documentation from Pihole for example, they explicitly state not to update within the container.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarksā¢ or registeredĀ® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy