When running npm audit against latest node-red 3.0.2, it reports a security vulnerability. Is it safe to --force a fix?
xml2js <0.5.0
Severity: high
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install node-red@0.19.6, which is a breaking change
node_modules/xml2js
@node-red/nodes *
Depends on vulnerable versions of xml2js
node_modules/@node-red/nodes
node-red >=0.20.0-beta.2
Depends on vulnerable versions of @node-red/nodes
node_modules/node-red
As Colin says - that's a no-no. Very likely to break something.
That is probably the worst thing that npm have done.
Dependencies must be managed by the package owner/author. So if you think it a problem, you should raise an issue with the package that has the dependency.
It was the node-red >=0.20.0-beta.2 that was confusing me, but I see now that the OP must have installed node red locally, and it is saying that any node red above that version has that dependency.
Thanks.