Npm audit fails

I think (though not certain) that npm audit fix may update to versions that are not consistent with the settings in package.json. It treats your instruction to fix it as permission to override package.json. That is why it may break things.

But it needs a deeper knowledge, if package.json does not allow updates.

As does fixing the code when you randomly update packages to latest.

Can you explain what you mean by that?

I think what the op is saying node-red ships with exact semantic versions specified in the package deps and therefore doesn't permit any patch or minor updates without an audit fix or modifying package.json

Ah, yes, if talking specifically about node-red rather than other modules.

Having played with Node.js for many years now, I can safely say that I would never allow the npm audit to "fix" anything. At least unless I really knew the thing it was fixing and what packages were relying on it.

No matter how hard you try maintain good semantic versioning, it is always prone to mistakes and often to interpretation as well.

I rely on GitHub extensions to tell me if any of my dependencies have problems and need updating and I grab the latest version of dependencies when I do a new version of my own nodes. Anything else is going to bite you in the nether regions at some inopportune moment and should be avoided.

I agree fully, running npm audit fix can break your software/nodes, especially when running unattended and automatically. On the other hand, if have to review every detected problem, your users will have a bad time, when your on vacation or tangled in other stuff.

If you update your dependencies (not matter how), you'll have to test the changes. After updating your dependencies, you could test your software with Github Actions (or antoher CI/CD tool) automatically. If your tests pass, your nodes are working. So from my point of view, an automated update process requires an automated testing step. If you have that, npm audit fix is a piece of cake.

Users of node-red need to test their flows, after updating node-red anyway. They could rely on the locked set set of modules (via package-lock.json) and have the ability to use npm audit fix. I see no reason why this feature is hold back from them.

Remember that node red makes use of many modules that are not under the control of the node red team. If one of those is updated and five minutes later a user runs audit fix then they would get that update before anyone has time to run any tests.

How to fix the following stuff?

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Incorrect Comparison in axios                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.21.2                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-red                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-red > node-red-admin > axios                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-cph5-m8f7-6c5x            │
└───────────────┴──────────────────────────────────────────────────────────────┘

You can wait until the next version is included by node-red.

Is that issue a particular problem for you?

I have just published node-red-admin@2.2.1 that updates the axios dependency.

This is one Node-RED dependency where we don't pin to a specific version, so you should be able to update it.

Should that be?
sudo npm -g update node-red-admin

It does not update, but I can't work out why. npm -g outdated isn't showing it either.
npm list shows

$ npm list -g node-red-admin
/usr/lib
└─┬ node-red@2.1.0-beta.1
  └── node-red-admin@2.2.0 

Thanks, that fixes some stuff, but there are others still open:

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-red                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-red > @node-red/editor-api > bcrypt >                   │
│               │ @mapbox/node-pre-gyp > npmlog > gauge > wide-align >         │
│               │ string-width > strip-ansi > ansi-regex                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-red                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-red > bcrypt > @mapbox/node-pre-gyp > npmlog > gauge >  │
│               │ wide-align > string-width > strip-ansi > ansi-regex          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-red                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-red > node-red-admin > bcrypt > @mapbox/node-pre-gyp >  │
│               │ npmlog > gauge > wide-align > string-width > strip-ansi >    │
│               │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-93q8-gq69-wqmw            │
└───────────────┴──────────────────────────────────────────────────────────────┘

ansi-regex is a dependency buried deep in the dependency tree.

It is installed due to our dependency on bcrypt. Given we have the latest bcrypt available, then it is beyond any influence of the Node-RED package.json file.

Have you tried sudo npm -g update ansi-regex ?

How did you update?

@knolleary I've update and getting the following output now:

║ 7950deec.712db  │ error    │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
║ 7950deec.712db  │ error    │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
║ 7c737c87.dad544 │ error    │ Parsing error: Unexpected token transport                             │ function-eslint ║

I've tried to add the missing plugin to nrlint without success. How can I configure this?

The third error is triggered with the following code:

let { transport } = global.get('nodemailer');

What is wrong with this code?

What exactly have you updated?

What missing plugin? What have you done exactly?

When I run the current version of nrlint on a Function node containing the code you've shared, I get:

║ a0b5c25ababe35ba    │ error    │ 'transport' is assigned a value but never used. │ function-eslint           ║
║ a0b5c25ababe35ba    │ error    │ 'global' is not defined.                        │ function-eslint

This is completely different to what you get - but it does reveal a bug in nrlint... it doesn't know about the global (and flow) builtin objects of the Function node.

So given you are getting completely different results, then we really need to know more about what you've done to get to this point.

@knolleary I've update nrlint

$ npm ls nrlint
[...]
└── nrlint@1.0.2 

I'm using the following .nrlintrc.js:

module.exports = {
    "rules": {
        "align-to-grid": true,
        "max-flow-size": true,
        "no-duplicate-http-in-urls": true,
        "no-loops": "off",
        "no-overlapping-nodes": true,
        "no-unconnected-http-nodes": true,
        "no-unnamed-functions": true,
        "no-unnamed-links": true,
        "function-eslint": {
            "config": {
                "env": {
                    "es2021": true
                },
                "extends": "eslint:recommended",
                "parserOptions": {
                    "ecmaVersion": 12
                },
                "rules": {}
            }
        }
    },
    "extends": [
      'plugin:security/recommended'
    ],
    "plugins": [
      'eslint-plugin-security'
    ]
}

And getting the following results:

$ npx nrlint --debug flows.json
Flow file: /usr/home/node/.node-red/projects/node-red-ca/flows.json
Configuration file: /usr/home/node/.node-red/projects/node-red-ca/.nrlintrc.js
Loading rules from eslint-plugin-security
╔═════════════════╤══════════╤═══════════════════════════════════════════════════════════════════════╤═════════════════╗
║ Object ID       │ Severity │ Message                                                               │ Rule            ║
╟─────────────────┼──────────┼───────────────────────────────────────────────────────────────────────┼─────────────────╢
║ 7950deec.712db  │ error    │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
║ 7950deec.712db  │ error    │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
║ 49e21da1.f9db54 │ error    │ Parsing error: Unexpected token fetch                                 │ function-eslint ║
║ 7c737c87.dad544 │ error    │ Parsing error: Unexpected token transport                             │ function-eslint ║
║ 5e402da3.a4bcd4 │ error    │ Parsing error: Unexpected token dkimVerify                            │ function-eslint ║
║ 480f3ced.e85b04 │ error    │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
║ 480f3ced.e85b04 │ error    │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
║ 480f3ced.e85b04 │ error    │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
║ 480f3ced.e85b04 │ error    │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
║ 480f3ced.e85b04 │ error    │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
║ 480f3ced.e85b04 │ error    │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
╚═════════════════╧══════════╧═══════════════════════════════════════════════════════════════════════╧═════════════════╝
✖ 11 problems (11 errors, 0 warnings)

The two types of errors, are coming from:

/* eslint-disable security/detect-object-injection */

and

const { transport } = global.get('dkim-verifier')

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.