Node red installation high severity CVE (Multer)


i am facing this issue, how do i resolve it.

npm WARN deprecated multer@1.4.4: Multer 1.x is affected by CVE-2022-24434. This is fixed in v1.4.4-lts.1 which drops support for versions of Node.js before 6. Please upgrade to at least Node.js 6 and version 1.4.4-lts.1 of Multer. If you need support for older versions of Node.js, we are open to accepting patches that would fix the CVE on the main 1.x release line, whilst maintaining compatibility with Node.js 0.10.

npm WARN deprecated axios@0.27.0: Formdata complete broken, incorrect build size

I'm afraid there is not much you can do other than raise an issue against Node-RED in GitHub. It requires an update to Node-RED. Of course, depending on what creates those dependencies, if they are deeply embedded, it might not even be possible to update them.

It looks like this cve is only a few days old. We are coming up to doing a 2.2.3 maintenance release in the next few days that will pick this up.

A reminder this warning doesn't mean the install failed. It is just a warning.

1 Like

though they seem to have used -beta tags so will need to be specified manually rather than let usual semantic versioning pick it up.

you can try update Multer with this command:
npm i multer@1.4.4-lts.1

make sure you are in the correct installation folder of Node-RED, sometimes it is not in C:
so you won't use:
C:>node-red
only:
node-red