Npm audit fails with recent node-red

When running npm audit with recent node-red, I got the following error:

uuid  <14.0.0
Severity: moderate
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - https://github.com/advisories/GHSA-w5hq-g745-h8pq
fix available via `npm audit fix --force`
Will install node-red@1.3.7, which is a breaking change
node_modules/uuid
  @node-red/nodes  2.0.0-beta.1 - 5.0.0-beta.5
  Depends on vulnerable versions of uuid
  node_modules/@node-red/nodes
    node-red  2.0.0-beta.1 - 5.0.0-beta.5
    Depends on vulnerable versions of @node-red/nodes
    node_modules/node-red

The error seems to be related to old UUID formats. Are these formats used by node-red?

You can simply do npm ls uuid to find out what requires that library.

>npm ls uuid
node-red-master@5.0.0-beta.0 D:\src\nrnext
`-- (empty)

Use npm -g ls uuid if you have a standard node-red install.

Running from my test userDir folder:

npm ls uuid
node-red-userdir@3.0.2 D:\src\nrnext\data
`-- node-red-contrib-uibuilder@7.6.2 -> .\..\..\node-red-contrib-uibuilder
  `-- mermaid@11.14.0
    `-- uuid@11.1.0

Which is a dependency on the uibuilder documentation I think.

However, from that same location:

>npm audit
found 0 vulnerabilities

Which suggests that uuid <14.0.0 is incorrect.

However, running from my dev instance instead of my v5 instance, I get this from the userDir:

> npm ls uuid
node-red-userdir@2.2.0 D:\src\nr\data
+-- node-red-contrib-ical-events@2.2.5
| `-- kalender-events@0.28.3
|   +-- scrapegoat@1.0.1
|   | `-- request@2.88.2
|   |   `-- uuid@3.4.0
|   `-- uuid@8.3.2
+-- node-red-contrib-telegrambot@17.1.3
| `-- node-telegram-bot-api@0.66.0
|   `-- @cypress/request@3.0.10
|     `-- uuid@8.3.2 deduped
+-- node-red-contrib-uibuilder@7.6.2 -> .\..\..\node-red-contrib-uibuilder
| `-- mermaid@11.14.0
|   `-- uuid@11.1.0
`-- node-red-contrib-web-worldmap@5.6.2
  `-- sockjs@0.3.24
    `-- uuid@8.3.2

But, I still don't get any warning from npm audit about uuid.