Outdated node-red-dev

augjoh · 11 May 2025 06:30

When installing the node-red-dev package npm audit fails. The package hasn't been touched in the last two years. Is it still supported? How can I work around the problems reported? npm audit --fix doesn't solve any issues here.

node@nodejs ~/t/node-red-dev> npm install --save-dev node-red-dev
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated har-validator@5.1.5: this library is no longer supported
npm warn deprecated glob@6.0.4: Glob versions prior to v9 are no longer supported
npm warn deprecated cross-spawn-async@2.2.5: cross-spawn no longer requires a build toolchain, use it instead
npm warn deprecated @oclif/command@1.8.36: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated @oclif/help@1.0.15: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm warn deprecated @oclif/errors@1.3.6: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated @oclif/errors@1.3.5: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated @oclif/parser@3.8.17: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated @oclif/config@1.18.17: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated @oclif/config@1.18.16: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm warn deprecated @oclif/config@1.18.2: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm warn deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

added 443 packages, and audited 444 packages in 21s

23 packages are looking for funding
  run `npm fund` for details

20 vulnerabilities (10 moderate, 10 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
node@nodejs ~/t/node-red-dev> npm audit
# npm audit report

axios  <=0.29.0
Severity: high
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
fix available via `npm audit fix --force`
Will install node-red-dev@0.0.1, which is a breaking change
node_modules/axios
  node-red-dev  *
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of npm-check
  Depends on vulnerable versions of npm-remote-ls
  node_modules/node-red-dev

cross-spawn  <6.0.6
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix`
node_modules/cross-spawn
  execa  0.5.0 - 0.9.0
  Depends on vulnerable versions of cross-spawn
  node_modules/term-size/node_modules/execa
    term-size  1.0.0 - 1.2.0
    Depends on vulnerable versions of execa
    node_modules/term-size
      boxen  1.2.0 - 3.2.0
      Depends on vulnerable versions of term-size
      node_modules/boxen
        update-notifier  0.2.0 - 5.1.0
        Depends on vulnerable versions of boxen
        Depends on vulnerable versions of latest-version
        node_modules/update-notifier
          npm-check  >=3.2.7
          Depends on vulnerable versions of depcheck
          Depends on vulnerable versions of meow
          Depends on vulnerable versions of package-json
          Depends on vulnerable versions of update-notifier
          node_modules/npm-check

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix`
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install node-red-dev@0.0.1, which is a breaking change
node_modules/request
  npm-remote-ls  *
  Depends on vulnerable versions of request
  Depends on vulnerable versions of yargs
  node_modules/npm-remote-ls

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install node-red-dev@0.0.1, which is a breaking change
node_modules/tough-cookie

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/meow

vue-template-compiler  >=2.0.0
Severity: moderate
vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS) - https://github.com/advisories/GHSA-g3ch-rx76-35fx
fix available via `npm audit fix`
node_modules/vue-template-compiler
  depcheck  0.8.2 - 1.3.1
  Depends on vulnerable versions of vue-template-compiler
  node_modules/depcheck

yargs-parser  <=5.0.0
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install node-red-dev@0.0.1, which is a breaking change
node_modules/npm-remote-ls/node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1
  Depends on vulnerable versions of yargs-parser
  node_modules/npm-remote-ls/node_modules/yargs

20 vulnerabilities (10 moderate, 10 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

knolleary · 11 May 2025 08:40

Hi,

No quick fixes here I'm afraid. A number of the packages it depends are no longer maintained and it needs a considerable rewrite to resolve a lot of these issues.

For local use, it's fine as is, but we will need to look at it when we have bandwidth.

Nick

system · 10 July 2025 08:40

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Npm audit fails after new installation Feature Requests	3	142	15 January 2024
Npm audit shows security vulnerabilities General	4	652	14 June 2022
Npm audit fails General	29	3831	12 January 2022
Node-red-node-openweathermap 0.2.1 > Insufficient Entropy / severity vulnerability General	4	925	27 April 2020
Npm audit reports a vulnerability General	6	288	11 June 2023

Outdated node-red-dev

Related topics