When running npm audit the following messages are shown:
node_modules/async
fs.notify *
Depends on vulnerable versions of async
node_modules/fs.notify
@node-red/nodes *
Depends on vulnerable versions of fs.notify
node_modules/@node-red/nodes
node-red >=0.20.0-beta.2
Depends on vulnerable versions of @node-red/nodes
node_modules/node-red
4 high severity vulnerabilities
Is there a possibility to fix this without downgrading node-red?
I strongly recommend that you leave well alone unless you really know what you are doing. Broken systems are made of audit "fixes".
New vulnerabilities appear constantly and most of them are minor but the important thing is to recognise that some dependent module upgrades will cause the module that relies on them to break.
It is more important to keep installed modules up-to-date along with your OS. It is more important still that you take precautions to prevent unwanted access to your systems.
If you downgrade, you will get more warnings not less.
What version of Node-RED are you running this against?
I'm always using the latest and greatest:
$ npm ls --production
@platynum/certification-authority@2.1.0 /builds/platynum/certification-authority/flows
[...]
+-- node-red-dashboard@3.1.6
+-- node-red@2.2.2
[...]
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy