Hi
I'm busy doing yet another NR install and..
Some comments on Node-Red install on Raspberry Pi (Stretch or Buster - RPI4 but most likely 2, 3 or 4) I’ve been meaning to make for some time..
- When installing nodes, after every single one there is a message found 1 high severe vulnerability – repeated every time. Any way to make it report once only?
- Node-red-node-sqlite remains a DISASTER AREA of WARNINGS and notes….. a massive and utterly confusing mess, is this necessary as most of us can do nothing about it?
- Node-red-nod-arduino – another (but much smaller) disaster area of warnings – seems to be about serial. As above, any way to turn warnings off?
Is there any way in the upgrade script to turn off warnings and even rationalise the high severity warning?
Best regards
Pete
Hi Pete,
The topic says "installing on a new Pi" - I'm not aware that our install script installs sqlite or arduino on a new Pi - or reports any high severity vulnerabilities. And they are already hidden behind the multi line install ui... So which install script are you referring to ?
- can you show which vulnerability it is reporting about ?
- usually this is caused by the underlying binaries compiling or not compiling correctly - if installed correctly using the
--unsafe-perm option it will take ages on a Pi but should then be ok after that... but yes on an operating system upgrade it will take that time again.
- often this is again due to incompatible versions of the underlying serial driver. Same as 2 - ensure it is installed using the --unsafe-perm option.
Having said that - of course the script could maybe try to handle some of this better - but until it is reported we don't know about it. But as I said at the start "our" script already hides all the warnings and doesn't handle those nodes explicitly - so maybe it's something else ?
So is this a clean install ? or upgrade ?
One other thing that I now do, at least for the main Node-RED installation (seem my alternate installer) is to use the --production flag along with --unsafe-perm to try to make sure I don't pick up any unnecessary dev dependencies.
Also, to find the packages with security vulnerability warnings, you can run npm audit. Here is the output for my dev install - this is in the master folder with just Node-RED installed:
C:\src\nr
λ npm audit
=== npm audit security report ===
# Run npm update lodash.merge --depth 4 to resolve 1 vulnerability
High Prototype Pollution
Package lodash.merge
Dependency of node-red
Path node-red > @node-red/nodes > cheerio > lodash.merge
More info https://nodesecurity.io/advisories/1066
# Run npm update lodash --depth 5 to resolve 1 vulnerability
High Prototype Pollution
Package lodash
Dependency of node-red
Path node-red > node-red-node-email > mailparser > html-to-text >
lodash
More info https://nodesecurity.io/advisories/1065
found 2 high severity vulnerabilities in 1662 scanned packages
run `npm audit fix` to fix 2 of them.
C:\src\nr
As you can see, currently 2 core nodes are producing warnings, both because of lodash which has had some vulnerabilities recently reported.
Of course, it takes time to update something like Node-RED so even if lodash has been updated, it isn't always easy to get NR updated quickly.
This is also a reason I would be reluctant to expose NR direct to the Internet, even via a reverse proxy. This in this case, the vulnerabilities probably wouldn't be an issue however since the vulnerability relates to malicious code overwriting a lodash built-in function.
Before recent improvements to npm, these kinds of issues went unseen. So it is good to have them exposed. However, we need to get used to seeing the reports and working out whether they are critical enough to fix immediately or can wait a while.
GitHub also now provides vulnerability warnings and I hope that the main Node-RED GitHub repo's have this feature turned on so that core devs are seeing issues immediately.
I'm using your script as part of my script for any nwe nistall - ie onto a virgin Pi - full Raspbian and many of the tools I talk about on my blog - Mosquitto, Grafana etc along with NR. I abandoned my own handling of NR in favour of your script ages ago, but thinking about it I guess the extra nodes like SQLITE are added later in my script - using the normal npm command..... in that case can I rephrase my query - is there any way you know of when adding nodes to a new setup - to turn off warnings as against errors?
Have you followed the suggestions on one of the many answers on stackoverflow such as this one?
UKMOOSE – the short answer is no, I have a life and hence follow only a small number of forums important to me such as this one.. accordingly I very rarely visit StackOverflow. I also spend much of my time answering other peoples questions and hence count on a small number of people who regularly manage to help me.
However as you’ve kindly made it easy for me, I’ll take a look.
Ta
Pete
I did consider the silent option but then you get nothing so have no clue when things do go wrong. What we do is redirect everything to an install log so then at least we can ask the user to look at that when things get out of whack. You can see how we do it on most commands in our script file.
Also the silent option is an environment setting so unless you under it later it will apply to all subsequent installs, which may not be what the user wants.
