Npm audit fails after new installation

Core Development Feature Requests
1

When installing Node-RED, I got audit findings:

> npm install node-red

added 302 packages, and audited 303 packages in 29s

45 packages are looking for funding
  run `npm fund` for details

3 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.
> npm audit
# npm audit report

axios  0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install node-red@1.0.6, which is a breaking change
node_modules/axios
  node-red-admin  >=0.2.0
  Depends on vulnerable versions of axios
  node_modules/node-red-admin
    node-red  >=1.1.0-beta.1
    Depends on vulnerable versions of node-red-admin
    node_modules/node-red

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
(venv) node@nodejs /u/h/n/.n/p/n/new-node-red (development) [0|1]> npm ls
@platynum/new-node-red@1.0.0 /usr/home/node/.node-red/projects/node-red-ca/new-node-red
└── node-red@3.1.0

Is Node-Red affected by this vulnerability? Is there going to be a new Node-RED version for this?

2

I did a fast scan of the NR code base.

Two findings:

  • A lot of modules (in folder node_modules) define axios as their dependency. Those had to be updated first.
  • NR uses axios as well. I yet didn't find any place where the withCredentials setting is turned on.

The maintainers will have the final call, yet it looks as if the prerequisites for this vulnerability are not given in (current) Node-Red.

3

I just ran npm audit on my node-red installation and got a different result.

D:\src\nr>npm audit
# npm audit report

axios  0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install node-red-admin@0.1.8, which is a breaking change
node_modules/axios
  node-red-admin  >=0.2.0
  Depends on vulnerable versions of axios
  node_modules/node-red-admin
    node-red  >=1.1.0-beta.1
    Depends on vulnerable versions of node-red-admin
    node_modules/node-red

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

D:\src\nr>

Since node-red-admin isn't really needed for the most part by most people, that wouldn't really be much of an issue.

When I run audit on my userDir, I get more results. But still only one against axios and that is a contributed node.

Ah, that's interesting, I get a slightly different result on Linux.

On windows, the "fix" offers to update just node-red-admin, on Linux it offers to "fix" node-red.

Either way, the axios dependency is on node-red-admin only. Which doesn't seem much of a risk to me.

Shouldn't really need to say this but - don't ever run npm audit fix - if you do, you will almost certainly break something. It is a nefarious part of npm.

4

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.