Outdated node-red-dev

When installing the node-red-dev package npm audit fails. The package hasn't been touched in the last two years. Is it still supported? How can I work around the problems reported? npm audit --fix doesn't solve any issues here.

node@nodejs ~/t/node-red-dev> npm install --save-dev node-red-dev
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated har-validator@5.1.5: this library is no longer supported
npm warn deprecated glob@6.0.4: Glob versions prior to v9 are no longer supported
npm warn deprecated cross-spawn-async@2.2.5: cross-spawn no longer requires a build toolchain, use it instead
npm warn deprecated @oclif/command@1.8.36: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated @oclif/help@1.0.15: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm warn deprecated @oclif/errors@1.3.6: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated @oclif/errors@1.3.5: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated @oclif/parser@3.8.17: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated @oclif/config@1.18.17: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated @oclif/config@1.18.16: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm warn deprecated @oclif/config@1.18.2: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

added 443 packages, and audited 444 packages in 21s

23 packages are looking for funding
  run `npm fund` for details

20 vulnerabilities (10 moderate, 10 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
node@nodejs ~/t/node-red-dev> npm audit
# npm audit report

axios  <=0.29.0
Severity: high
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
fix available via `npm audit fix --force`
Will install node-red-dev@0.0.1, which is a breaking change
node_modules/axios
  node-red-dev  *
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of npm-check
  Depends on vulnerable versions of npm-remote-ls
  node_modules/node-red-dev

cross-spawn  <6.0.6
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix`
node_modules/cross-spawn
  execa  0.5.0 - 0.9.0
  Depends on vulnerable versions of cross-spawn
  node_modules/term-size/node_modules/execa
    term-size  1.0.0 - 1.2.0
    Depends on vulnerable versions of execa
    node_modules/term-size
      boxen  1.2.0 - 3.2.0
      Depends on vulnerable versions of term-size
      node_modules/boxen
        update-notifier  0.2.0 - 5.1.0
        Depends on vulnerable versions of boxen
        Depends on vulnerable versions of latest-version
        node_modules/update-notifier
          npm-check  >=3.2.7
          Depends on vulnerable versions of depcheck
          Depends on vulnerable versions of meow
          Depends on vulnerable versions of package-json
          Depends on vulnerable versions of update-notifier
          node_modules/npm-check

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix`
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install node-red-dev@0.0.1, which is a breaking change
node_modules/request
  npm-remote-ls  *
  Depends on vulnerable versions of request
  Depends on vulnerable versions of yargs
  node_modules/npm-remote-ls

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install node-red-dev@0.0.1, which is a breaking change
node_modules/tough-cookie

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/meow

vue-template-compiler  >=2.0.0
Severity: moderate
vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS) - https://github.com/advisories/GHSA-g3ch-rx76-35fx
fix available via `npm audit fix`
node_modules/vue-template-compiler
  depcheck  0.8.2 - 1.3.1
  Depends on vulnerable versions of vue-template-compiler
  node_modules/depcheck

yargs-parser  <=5.0.0
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install node-red-dev@0.0.1, which is a breaking change
node_modules/npm-remote-ls/node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1
  Depends on vulnerable versions of yargs-parser
  node_modules/npm-remote-ls/node_modules/yargs

20 vulnerabilities (10 moderate, 10 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Hi,

No quick fixes here I'm afraid. A number of the packages it depends are no longer maintained and it needs a considerable rewrite to resolve a lot of these issues.

For local use, it's fine as is, but we will need to look at it when we have bandwidth.

Nick

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.