I just ran npm audit on my node-red installation and got a different result.
D:\src\nr>npm audit
# npm audit report
axios 0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install node-red-admin@0.1.8, which is a breaking change
node_modules/axios
node-red-admin >=0.2.0
Depends on vulnerable versions of axios
node_modules/node-red-admin
node-red >=1.1.0-beta.1
Depends on vulnerable versions of node-red-admin
node_modules/node-red
3 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
D:\src\nr>
Since node-red-admin isn't really needed for the most part by most people, that wouldn't really be much of an issue.
When I run audit on my userDir, I get more results. But still only one against axios and that is a contributed node.
Ah, that's interesting, I get a slightly different result on Linux.
On windows, the "fix" offers to update just node-red-admin, on Linux it offers to "fix" node-red.
Either way, the axios dependency is on node-red-admin only. Which doesn't seem much of a risk to me.
Shouldn't really need to say this but - don't ever run npm audit fix - if you do, you will almost certainly break something. It is a nefarious part of npm.