npm audit against latest node-red 3.0.2, it reports a security vulnerability. Is it safe to --force a fix?
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install firstname.lastname@example.org, which is a breaking change
Depends on vulnerable versions of xml2js
Depends on vulnerable versions of @node-red/nodes
No, don't do that.
What do these commands show, from your .node-red folder?
npm list -g node-red
npm list node-red
As Colin says - that's a no-no. Very likely to break something.
That is probably the worst thing that npm have done.
Dependencies must be managed by the package owner/author. So if you think it a problem, you should raise an issue with the package that has the dependency.
Can you understand the audit text posted, it doesn't make sense to me?
Seems to be saying that Node-RED depends on
@node-red/nodes (part of the monorepo) which in turn has a dependency on a
xml2js vulnerable version.
It was the
node-red >=0.20.0-beta.2 that was confusing me, but I see now that the OP must have installed node red locally, and it is saying that any node red above that version has that dependency.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.