You can wait until the next version is included by node-red.
Is that issue a particular problem for you?
I have just published node-red-admin@2.2.1 that updates the axios dependency.
This is one Node-RED dependency where we don't pin to a specific version, so you should be able to update it.
Should that be?
sudo npm -g update node-red-admin
It does not update, but I can't work out why. npm -g outdated isn't showing it either.
npm list shows
$ npm list -g node-red-admin
/usr/lib
└─┬ node-red@2.1.0-beta.1
└── node-red-admin@2.2.0
Thanks, that fixes some stuff, but there are others still open:
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Inefficient Regular Expression Complexity in │
│ │ chalk/ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-red │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-red > @node-red/editor-api > bcrypt > │
│ │ @mapbox/node-pre-gyp > npmlog > gauge > wide-align > │
│ │ string-width > strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-93q8-gq69-wqmw │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Inefficient Regular Expression Complexity in │
│ │ chalk/ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-red │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-red > bcrypt > @mapbox/node-pre-gyp > npmlog > gauge > │
│ │ wide-align > string-width > strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-93q8-gq69-wqmw │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Inefficient Regular Expression Complexity in │
│ │ chalk/ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-red │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-red > node-red-admin > bcrypt > @mapbox/node-pre-gyp > │
│ │ npmlog > gauge > wide-align > string-width > strip-ansi > │
│ │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-93q8-gq69-wqmw │
└───────────────┴──────────────────────────────────────────────────────────────┘
ansi-regex is a dependency buried deep in the dependency tree.
It is installed due to our dependency on bcrypt. Given we have the latest bcrypt available, then it is beyond any influence of the Node-RED package.json file.
Have you tried sudo npm -g update ansi-regex ?
How did you update?
@knolleary I've update and getting the following output now:
║ 7950deec.712db │ error │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
║ 7950deec.712db │ error │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
║ 7c737c87.dad544 │ error │ Parsing error: Unexpected token transport │ function-eslint ║
I've tried to add the missing plugin to nrlint without success. How can I configure this?
The third error is triggered with the following code:
let { transport } = global.get('nodemailer');
What is wrong with this code?
What exactly have you updated?
What missing plugin? What have you done exactly?
When I run the current version of nrlint on a Function node containing the code you've shared, I get:
║ a0b5c25ababe35ba │ error │ 'transport' is assigned a value but never used. │ function-eslint ║
║ a0b5c25ababe35ba │ error │ 'global' is not defined. │ function-eslint
This is completely different to what you get - but it does reveal a bug in nrlint... it doesn't know about the global (and flow) builtin objects of the Function node.
So given you are getting completely different results, then we really need to know more about what you've done to get to this point.
@knolleary I've update nrlint
$ npm ls nrlint
[...]
└── nrlint@1.0.2
I'm using the following .nrlintrc.js:
module.exports = {
"rules": {
"align-to-grid": true,
"max-flow-size": true,
"no-duplicate-http-in-urls": true,
"no-loops": "off",
"no-overlapping-nodes": true,
"no-unconnected-http-nodes": true,
"no-unnamed-functions": true,
"no-unnamed-links": true,
"function-eslint": {
"config": {
"env": {
"es2021": true
},
"extends": "eslint:recommended",
"parserOptions": {
"ecmaVersion": 12
},
"rules": {}
}
}
},
"extends": [
'plugin:security/recommended'
],
"plugins": [
'eslint-plugin-security'
]
}
And getting the following results:
$ npx nrlint --debug flows.json
Flow file: /usr/home/node/.node-red/projects/node-red-ca/flows.json
Configuration file: /usr/home/node/.node-red/projects/node-red-ca/.nrlintrc.js
Loading rules from eslint-plugin-security
╔═════════════════╤══════════╤═══════════════════════════════════════════════════════════════════════╤═════════════════╗
║ Object ID │ Severity │ Message │ Rule ║
╟─────────────────┼──────────┼───────────────────────────────────────────────────────────────────────┼─────────────────╢
║ 7950deec.712db │ error │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
║ 7950deec.712db │ error │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
║ 49e21da1.f9db54 │ error │ Parsing error: Unexpected token fetch │ function-eslint ║
║ 7c737c87.dad544 │ error │ Parsing error: Unexpected token transport │ function-eslint ║
║ 5e402da3.a4bcd4 │ error │ Parsing error: Unexpected token dkimVerify │ function-eslint ║
║ 480f3ced.e85b04 │ error │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
║ 480f3ced.e85b04 │ error │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
║ 480f3ced.e85b04 │ error │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
║ 480f3ced.e85b04 │ error │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
║ 480f3ced.e85b04 │ error │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
║ 480f3ced.e85b04 │ error │ Definition for rule 'security/detect-object-injection' was not found. │ function-eslint ║
╚═════════════════╧══════════╧═══════════════════════════════════════════════════════════════════════╧═════════════════╝
✖ 11 problems (11 errors, 0 warnings)
The two types of errors, are coming from:
/* eslint-disable security/detect-object-injection */
and
const { transport } = global.get('dkim-verifier')
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
