Npm audit reports a vulnerability

When running npm audit against latest node-red 3.0.2, it reports a security vulnerability. Is it safe to --force a fix?

xml2js  <0.5.0
Severity: high
xml2js is vulnerable to prototype pollution  - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install node-red@0.19.6, which is a breaking change
node_modules/xml2js
  @node-red/nodes  *
  Depends on vulnerable versions of xml2js
  node_modules/@node-red/nodes
    node-red  >=0.20.0-beta.2
    Depends on vulnerable versions of @node-red/nodes
    node_modules/node-red

No, don't do that.

What do these commands show, from your .node-red folder?
npm list -g node-red
npm list node-red

As Colin says - that's a no-no. Very likely to break something.

That is probably the worst thing that npm have done.

Dependencies must be managed by the package owner/author. So if you think it a problem, you should raise an issue with the package that has the dependency.

Can you understand the audit text posted, it doesn't make sense to me?

Seems to be saying that Node-RED depends on @node-red/nodes (part of the monorepo) which in turn has a dependency on a xml2js vulnerable version.

It was the node-red >=0.20.0-beta.2 that was confusing me, but I see now that the OP must have installed node red locally, and it is saying that any node red above that version has that dependency.
Thanks.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.