I have a docker container which includes npm v11. However due to some accidental PATH handling, I discovered there were npm audit security issues that couldn't be fixed because they originate from another npm version 10.9.8. And this originates from node red itself?
According to ai, this is how:
node-red
└─ @node-red/runtime
└─ @node-red/registry
└─ npm@10.9.8
It also claims node 22 ships with this npm verison, however I upgraded global npm in docker container to 11 so never noticed it. But why does node red include vulnerable npm? Should it be upgraded?
/data $ npm audit
# npm audit report
brace-expansion 2.0.0 - 2.0.2
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/npm/node_modules/brace-expansion
ip-address <=10.1.0
Severity: moderate
ip-address has XSS in Address6 HTML-emitting methods - https://github.com/advisories/GHSA-v2v4-37r5-5v8g
fix available via `npm audit fix`
node_modules/npm/node_modules/ip-address
picomatch 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/npm/node_modules/picomatch
3 vulnerabilities (2 moderate, 1 high)
To address all issues, run:
npm audit fix
/data $
