Npm audit reports a vulnerability

When running npm audit against latest node-red 3.0.2, it reports a security vulnerability. Is it safe to --force a fix?

xml2js  <0.5.0
Severity: high
xml2js is vulnerable to prototype pollution  -
fix available via `npm audit fix --force`
Will install node-red@0.19.6, which is a breaking change
  @node-red/nodes  *
  Depends on vulnerable versions of xml2js
    node-red  >=0.20.0-beta.2
    Depends on vulnerable versions of @node-red/nodes

No, don't do that.

What do these commands show, from your .node-red folder?
npm list -g node-red
npm list node-red

As Colin says - that's a no-no. Very likely to break something.

That is probably the worst thing that npm have done.

Dependencies must be managed by the package owner/author. So if you think it a problem, you should raise an issue with the package that has the dependency.

Can you understand the audit text posted, it doesn't make sense to me?

Seems to be saying that Node-RED depends on @node-red/nodes (part of the monorepo) which in turn has a dependency on a xml2js vulnerable version.

It was the node-red >=0.20.0-beta.2 that was confusing me, but I see now that the OP must have installed node red locally, and it is saying that any node red above that version has that dependency.

1 Like