Npm audit reports a vulnerability

General
1

When running npm audit against latest node-red 3.0.2, it reports a security vulnerability. Is it safe to --force a fix?

xml2js  <0.5.0
Severity: high
xml2js is vulnerable to prototype pollution  - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install node-red@0.19.6, which is a breaking change
node_modules/xml2js
  @node-red/nodes  *
  Depends on vulnerable versions of xml2js
  node_modules/@node-red/nodes
    node-red  >=0.20.0-beta.2
    Depends on vulnerable versions of @node-red/nodes
    node_modules/node-red
2

No, don't do that.

What do these commands show, from your .node-red folder?
npm list -g node-red
npm list node-red

3

As Colin says - that's a no-no. Very likely to break something.

That is probably the worst thing that npm have done.

Dependencies must be managed by the package owner/author. So if you think it a problem, you should raise an issue with the package that has the dependency.

4

Can you understand the audit text posted, it doesn't make sense to me?

5

Seems to be saying that Node-RED depends on @node-red/nodes (part of the monorepo) which in turn has a dependency on a xml2js vulnerable version.

6

It was the node-red >=0.20.0-beta.2 that was confusing me, but I see now that the OP must have installed node red locally, and it is saying that any node red above that version has that dependency.
Thanks.

1 Like
7

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.