Low severity vulnerability that won't go away

For a long time npm audit on my main Node-Red machine has reported 1 vulnerability in node-red-node-email:

I have run the Raspberry install script several times, which has updated to the latest Node-Red but not fixed the issue.
Other Raspberry Pies with the same version of Node-Red show "0 vulnerabilities".

How can I resolve this?

Are you using the latest version of the email node? Check in manage palette.

If yes then go into your .node-red folder and run
npm list minimist
and paste the section for the email node.

Yes it's the latest version.
I discovered that the problem doesn't arise on the other Pies because the node isn't installed. (Could have sworn it was part of the core) :blush:

pi@GlassPi:~/.node-red $ npm list minimist
node-red-project@0.0.1 /home/pi/.node-red
โ”œโ”€โ”ฌ node-red-node-email@1.12.3
โ”‚ โ”œโ”€โ”ฌ mailparser@3.2.0
โ”‚ โ”‚ โ””โ”€โ”ฌ html-to-text@7.0.0
โ”‚ โ”‚   โ””โ”€โ”€ minimist@1.2.5
โ”‚ โ””โ”€โ”ฌ poplib@0.1.7
โ”‚   โ””โ”€โ”ฌ optimist@0.6.1
โ”‚     โ””โ”€โ”€ minimist@0.0.10
โ””โ”€โ”ฌ node-red-node-serialport@0.14.1
  โ””โ”€โ”ฌ serialport@9.2.1
    โ””โ”€โ”ฌ @serialport/bindings@9.2.1
      โ””โ”€โ”ฌ prebuild-install@6.1.4
        โ”œโ”€โ”€ minimist@1.2.5
        โ””โ”€โ”ฌ rc@1.2.8
          โ””โ”€โ”€ minimist@1.2.5  deduped

Poplib - last updated 8 years ago. I guess the answer is to find a different email solution.

Or you could CD to node-red-node-email > poplib > optimist and update minimist to latest 0.x version

Note: This would only be good until the next email node update.

The big problem with npm audit is that lacks all context.

The "vulnerable" package listed there is minimist. Its a library used to parse command-line arguments.

Working up the stack, we see it is used by poplib - the pop3 client library the email node uses. On further investigation, we see that module includes a couple examples of its use. These examples are run on the command line. node-poplib/demos at master ยท ditesh/node-poplib ยท GitHub

The core of that module - the code that actually gets loaded when you require it - doesn't use minimist.

Thus that vulnerability is completely irrelevant in the context of the Node-RED node.

2 Likes

Thanks for looking into it.

Even if the vulnerability was relevant to the node it wouldn't be much of a worry since my Node-Red isn't public.