Node-red-node-openweathermap 0.2.1 > Insufficient Entropy / severity vulnerability

After installing NR and the flow node-red-node-openweathermap 0.2.1
Node-RED Version: v1.0.3
Node.js Version: v12.16.1
Linux 4.19.79-v7+ arm LE
we got an npm audit error message which we are not able to fix.
What do we need to do?
npm audit fix does not work.

Installation process and error message
npm install node-red-node-openweathermap

npm WARN deprecated cryptiles@3.1.4: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN node-red-project@0.0.1 No repository field.
npm WARN node-red-project@0.0.1 No license field.

  • node-red-node-openweathermap@0.2.1
    updated 1 package, moved 1 package and audited 1404 packages in 27.849s

1 package is looking for funding
run npm fund for details

found 1 high severity vulnerability
run npm audit fix to fix them, or npm audit for details
sudo npm audit

                   === npm audit security report ===                        
                                                                            
                            Manual Review
        Some vulnerabilities require your attention to resolve
     Visit https://go.npm.me/audit-guide for additional guidance

High │ Insufficient Entropy
Package │ cryptiles
Patched in │ >=4.1.2
Dependency of │ node-red-node-openweathermap
Path │ node-red-node-openweathermap > request > hawk > cryptiles
More info │ https://npmjs.com/advisories/1464
found 1 high severity vulnerability in 1404 scanned packages
1 vulnerability requires manual review. See the full report for details.

I think you need to raise an issue - that node is provided by node-red-web-nodes so you can raise the issue there.

The problem is the request node which was deprecated by the author a year ago. The openweathermap node hasn't been updated for 2 years (didn't need to be really).

Looks like the request module will need to be replaced - possibly with the popular axios request library.

Well despite being deprecated their last release is still somewhat newer than the one included in the node so I have bumped that in case it helps for now. Published as v0.2.2

1 Like

Thank you all very much for your fast reply and support!

Now the npm audit report is ok after reinstalling the flow v0.2.2:

npm audit
=== npm audit security report ===
found 0 vulnerabilities

We appreciate very much your help, really a great service!
Thanks guys

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.