For a long time npm audit on my main Node-Red machine has reported 1 vulnerability in node-red-node-email:
I have run the Raspberry install script several times, which has updated to the latest Node-Red but not fixed the issue.
Other Raspberry Pies with the same version of Node-Red show "0 vulnerabilities".
How can I resolve this?
Are you using the latest version of the email node? Check in manage palette.
If yes then go into your .node-red folder and run
npm list minimist
and paste the section for the email node.
Yes it's the latest version.
I discovered that the problem doesn't arise on the other Pies because the node isn't installed. (Could have sworn it was part of the core)
pi@GlassPi:~/.node-red $ npm list minimist
│ ├─┬ firstname.lastname@example.org
│ │ └─┬ email@example.com
│ │ └── firstname.lastname@example.org
│ └─┬ email@example.com
│ └─┬ firstname.lastname@example.org
│ └── email@example.com
└── firstname.lastname@example.org deduped
Poplib - last updated 8 years ago. I guess the answer is to find a different email solution.
Or you could CD to node-red-node-email > poplib > optimist and update minimist to latest 0.x version
Note: This would only be good until the next email node update.
The big problem with
npm audit is that lacks all context.
The "vulnerable" package listed there is
minimist. Its a library used to parse command-line arguments.
Working up the stack, we see it is used by
poplib - the pop3 client library the email node uses. On further investigation, we see that module includes a couple examples of its use. These examples are run on the command line. node-poplib/demos at master · ditesh/node-poplib · GitHub
The core of that module - the code that actually gets loaded when you require it - doesn't use minimist.
Thus that vulnerability is completely irrelevant in the context of the Node-RED node.
Thanks for looking into it.
Even if the vulnerability was relevant to the node it wouldn't be much of a worry since my Node-Red isn't public.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.