Node-red-node-email, Severity: moderate with npm audit

it not like I'm getting any error yet. thought to share and understand why its happening.

4 moderate severity vulnerabilities is shown when I install a node using npm command line

and when entered 'npm audit', below is what i get:

C:\Users\Sahil>npm audit
# npm audit report

minimist  <0.2.1
Severity: moderate
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix`
node_modules/node-red-node-email/node_modules/optimist/node_modules/minimist
  optimist  >=0.6.0
  Depends on vulnerable versions of minimist
  node_modules/node-red-node-email/node_modules/optimist

nodemailer  <6.6.1
Severity: moderate
Header injection in nodemailer - https://github.com/advisories/GHSA-hwqf-gcqm-7353
fix available via `npm audit fix`
node_modules/node-red-node-email/node_modules/mailparser/node_modules/nodemailer
  mailparser  2.3.1 - 3.2.0
  Depends on vulnerable versions of nodemailer
  node_modules/node-red-node-email/node_modules/mailparser

4 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix

and when entered 'npm audt fix', below is what i get:

C:\Users\Sahil>npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit fix minimist@0.0.10 node_modules/node-red-node-email/node_modules/optimist/node_modules/minimist
npm WARN audit fix minimist@0.0.10 is a bundled dependency of
npm WARN audit fix minimist@0.0.10 node-red-node-email@1.13.0 at node_modules/node-red-node-email
npm WARN audit fix minimist@0.0.10 It cannot be fixed automatically.
npm WARN audit fix minimist@0.0.10 Check for updates to the node-red-node-email package.
npm WARN audit fix nodemailer@6.5.0 node_modules/node-red-node-email/node_modules/mailparser/node_modules/nodemailer
npm WARN audit fix nodemailer@6.5.0 is a bundled dependency of
npm WARN audit fix nodemailer@6.5.0 node-red-node-email@1.13.0 at node_modules/node-red-node-email
npm WARN audit fix nodemailer@6.5.0 It cannot be fixed automatically.
npm WARN audit fix nodemailer@6.5.0 Check for updates to the node-red-node-email package.
npm WARN audit fix optimist@0.6.1 node_modules/node-red-node-email/node_modules/optimist
npm WARN audit fix optimist@0.6.1 is a bundled dependency of
npm WARN audit fix optimist@0.6.1 node-red-node-email@1.13.0 at node_modules/node-red-node-email
npm WARN audit fix optimist@0.6.1 It cannot be fixed automatically.
npm WARN audit fix optimist@0.6.1 Check for updates to the node-red-node-email package.
npm WARN audit fix mailparser@3.2.0 node_modules/node-red-node-email/node_modules/mailparser
npm WARN audit fix mailparser@3.2.0 is a bundled dependency of
npm WARN audit fix mailparser@3.2.0 node-red-node-email@1.13.0 at node_modules/node-red-node-email
npm WARN audit fix mailparser@3.2.0 It cannot be fixed automatically.
npm WARN audit fix mailparser@3.2.0 Check for updates to the node-red-node-email package.

up to date, audited 1144 packages in 4s

98 packages are looking for funding
  run `npm fund` for details

# npm audit report

is it related to my installation only or anyone else is getting similar output.

Running audit fix can break your system as it may force an install of versions of nodes that are not compatible with other nodes. In this case it was not able to break your system as those nodes are packaged inside the email node (at least I think that is what it is saying).

I don't know whether the email node can be changed to use later versions of these nodes, I suggest that you submit an issue on the node's github page. Issues · node-red/node-red-nodes · GitHub

If you search the forum for minimist you will find this comment by @knolleary

The big problem with npm audit is that lacks all context.

The "vulnerable" package listed there is minimist . Its a library used to parse command-line arguments.

Working up the stack, we see it is used by poplib - the pop3 client library the email node uses. On further investigation, we see that module includes a couple examples of its use. These examples are run on the command line. node-poplib/demos at master · ditesh/node-poplib · GitHub

The core of that module - the code that actually gets loaded when you require it - doesn't use minimist.

Thus that vulnerability is completely irrelevant in the context of the Node-RED node.

1 Like