Node-red-node-openweathermap 0.2.1 > Insufficient Entropy / severity vulnerability

RueCo · 27 February 2020 16:20

After installing NR and the flow node-red-node-openweathermap 0.2.1
Node-RED Version: v1.0.3
Node.js Version: v12.16.1
Linux 4.19.79-v7+ arm LE
we got an npm audit error message which we are not able to fix.
What do we need to do?
npm audit fix does not work.

Installation process and error message
npm install node-red-node-openweathermap

npm WARN deprecated cryptiles@3.1.4: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN node-red-project@0.0.1 No repository field.
npm WARN node-red-project@0.0.1 No license field.

node-red-node-openweathermap@0.2.1
updated 1 package, moved 1 package and audited 1404 packages in 27.849s

1 package is looking for funding
run npm fund for details

found 1 high severity vulnerability
run npm audit fix to fix them, or npm audit for details
sudo npm audit

                   === npm audit security report ===                        
                                                                            
                            Manual Review
        Some vulnerabilities require your attention to resolve
     Visit https://go.npm.me/audit-guide for additional guidance

High │ Insufficient Entropy
Package │ cryptiles
Patched in │ >=4.1.2
Dependency of │ node-red-node-openweathermap
Path │ node-red-node-openweathermap > request > hawk > cryptiles
More info │ https://npmjs.com/advisories/1464
found 1 high severity vulnerability in 1404 scanned packages
1 vulnerability requires manual review. See the full report for details.

TotallyInformation · 27 February 2020 17:40

I think you need to raise an issue - that node is provided by node-red-web-nodes so you can raise the issue there.

The problem is the request node which was deprecated by the author a year ago. The openweathermap node hasn't been updated for 2 years (didn't need to be really).

Looks like the request module will need to be replaced - possibly with the popular axios request library.

dceejay · 27 February 2020 19:57

Well despite being deprecated their last release is still somewhat newer than the one included in the node so I have bumped that in case it helps for now. Published as v0.2.2

RueCo · 27 February 2020 21:08

Thank you all very much for your fast reply and support!

Now the npm audit report is ok after reinstalling the flow v0.2.2:

npm audit
=== npm audit security report ===
found 0 vulnerabilities

We appreciate very much your help, really a great service!
Thanks guys

system · 27 April 2020 21:08

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Openweathermap fails to install General	5	464	14 February 2022
I cant Install node-red General	9	1826	21 June 2021
Constant Node-RED must be restarted to enable upgraded modules General	7	1064	5 December 2020
Package vulnerabilities General	26	3810	7 November 2018
Npm audit fails General	29	3579	12 January 2022

Node-red-node-openweathermap 0.2.1 > Insufficient Entropy / severity vulnerability

Related Topics