Bcrypt update from 3.0.6 to 5.0.0

When using node-red in my project, I get flagged on a vulnerability with Bcrypt within the node-red admin module. The suggested action is to upgrade bcrypt to 5.0.0. Is there a reason why this hasn't been done? Can a Pull Request of the upgrade of bcrypt 3.0.6 to 5.0.0 be made?

I'm currently using node-red@1.1.3.

Here is a snippet of my audit:

Hi,

We're aware of this issue with bcrypt and are currently working out what to do.

Node-RED 1.x still supports Node 8. Unfortunately bcrypt 5.x no longer supports Node 8. So we can't simply upgrade bcrypt in a minor release. We can only drop Node 8 support in a major version change. Our release plan has Node-RED 2.0 scheduled next April when we'll drop Node 8 and 10 at the same time (as they will both be out of maintenance by then).

We're currently evaluating whether to bring the 2.0 release forward and rearranging the whole release plan.

In mitigation, based on our initial evaluation, we don't believe this vulnerability is applicable to how we use the module. The vulnerability with bcrypt is with its handling of payloads > 256 bytes. Given we only use it for hashing passwords, it is exceeding unlikely that users will have >256 character passwords.

It is unfortunate that the crude nature of the npm audit scan means there's no way for us to explain this mitigation and get us unflagged.

Hey!

No, just kidding, even I'm not that bad. :sunglasses:

1 Like