Just did a fresh node-red installation on a virgin install of Ubuntu-Mate 22.04. When I did the npm install of dashboard and a few other extra modules:
npm i node-red-dashboard node-red-node-email node-red-contrib-image-output node-red-node-base64
I got:
added 62 packages, and audited 109 packages in 3s
11 packages are looking for funding
run `npm fund` for details
4 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
When I run 'npm audit' I got:
# npm audit report
semver <5.7.2
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install node-red-node-email@0.1.12, which is a breaking change
node_modules/node-red-node-email/node_modules/semver
utf7 >=1.0.2
Depends on vulnerable versions of semver
node_modules/node-red-node-email/node_modules/utf7
imap >=0.8.18
Depends on vulnerable versions of utf7
node_modules/node-red-node-email/node_modules/imap
node-red-node-email >=0.1.13
Depends on vulnerable versions of imap
node_modules/node-red-node-email
4 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Question is how do I know if these fixes would be breaking changes?
My system is not visible outside of my local subnet, and "breaking changes" would be a showstopper unless there is a proven solution for the breakage.