Npm "high" security vulnerabilities?

Just did a fresh node-red installation on a virgin install of Ubuntu-Mate 22.04. When I did the npm install of dashboard and a few other extra modules:

npm i node-red-dashboard node-red-node-email node-red-contrib-image-output node-red-node-base64

I got:

added 62 packages, and audited 109 packages in 3s

11 packages are looking for funding
  run `npm fund` for details

4 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

When I run 'npm audit' I got:

# npm audit report

semver  <5.7.2
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install node-red-node-email@0.1.12, which is a breaking change
node_modules/node-red-node-email/node_modules/semver
  utf7  >=1.0.2
  Depends on vulnerable versions of semver
  node_modules/node-red-node-email/node_modules/utf7
    imap  >=0.8.18
    Depends on vulnerable versions of utf7
    node_modules/node-red-node-email/node_modules/imap
      node-red-node-email  >=0.1.13
      Depends on vulnerable versions of imap
      node_modules/node-red-node-email

4 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Question is how do I know if these fixes would be breaking changes?
My system is not visible outside of my local subnet, and "breaking changes" would be a showstopper unless there is a proven solution for the breakage.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.