For a long time npm audit on my main Node-Red machine has reported 1 vulnerability in node-red-node-email:
I have run the Raspberry install script several times, which has updated to the latest Node-Red but not fixed the issue.
Other Raspberry Pies with the same version of Node-Red show "0 vulnerabilities".
How can I resolve this?
Are you using the latest version of the email node? Check in manage palette.
If yes then go into your .node-red folder and run
npm list minimist
and paste the section for the email node.
Yes it's the latest version.
I discovered that the problem doesn't arise on the other Pies because the node isn't installed. (Could have sworn it was part of the core) 
pi@GlassPi:~/.node-red $ npm list minimist
node-red-project@0.0.1 /home/pi/.node-red
โโโฌ node-red-node-email@1.12.3
โ โโโฌ mailparser@3.2.0
โ โ โโโฌ html-to-text@7.0.0
โ โ โโโ minimist@1.2.5
โ โโโฌ poplib@0.1.7
โ โโโฌ optimist@0.6.1
โ โโโ minimist@0.0.10
โโโฌ node-red-node-serialport@0.14.1
โโโฌ serialport@9.2.1
โโโฌ @serialport/bindings@9.2.1
โโโฌ prebuild-install@6.1.4
โโโ minimist@1.2.5
โโโฌ rc@1.2.8
โโโ minimist@1.2.5 deduped
Poplib - last updated 8 years ago. I guess the answer is to find a different email solution.
Or you could CD to node-red-node-email > poplib > optimist and update minimist to latest 0.x version
Note: This would only be good until the next email node update.
The big problem with npm audit is that lacks all context.
The "vulnerable" package listed there is minimist. Its a library used to parse command-line arguments.
Working up the stack, we see it is used by poplib - the pop3 client library the email node uses. On further investigation, we see that module includes a couple examples of its use. These examples are run on the command line. node-poplib/demos at master ยท ditesh/node-poplib ยท GitHub
The core of that module - the code that actually gets loaded when you require it - doesn't use minimist.
Thus that vulnerability is completely irrelevant in the context of the Node-RED node.
Thanks for looking into it.
Even if the vulnerability was relevant to the node it wouldn't be much of a worry since my Node-Red isn't public.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarksโข or registeredยฎ trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy