Npm audit shows security vulnerabilities

When running npm audit the following messages are shown:

  fs.notify  *
  Depends on vulnerable versions of async
    @node-red/nodes  *
    Depends on vulnerable versions of fs.notify
      node-red  >=0.20.0-beta.2
      Depends on vulnerable versions of @node-red/nodes

4 high severity vulnerabilities

Is there a possibility to fix this without downgrading node-red?

I strongly recommend that you leave well alone unless you really know what you are doing. Broken systems are made of audit "fixes".

New vulnerabilities appear constantly and most of them are minor but the important thing is to recognise that some dependent module upgrades will cause the module that relies on them to break.

It is more important to keep installed modules up-to-date along with your OS. It is more important still that you take precautions to prevent unwanted access to your systems.

If you downgrade, you will get more warnings not less.

What version of Node-RED are you running this against?

I'm always using the latest and greatest:

$ npm ls --production
@platynum/certification-authority@2.1.0 /builds/platynum/certification-authority/flows
+-- node-red-dashboard@3.1.6
+-- node-red@2.2.2

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.