Security issues with nr internal npm?

I have a docker container which includes npm v11. However due to some accidental PATH handling, I discovered there were npm audit security issues that couldn't be fixed because they originate from another npm version 10.9.8. And this originates from node red itself?

According to ai, this is how:

node-red
└─ @node-red/runtime
└─ @node-red/registry
└─ npm@10.9.8

It also claims node 22 ships with this npm verison, however I upgraded global npm in docker container to 11 so never noticed it. But why does node red include vulnerable npm? Should it be upgraded?

/data $ npm audit
# npm audit report

brace-expansion  2.0.0 - 2.0.2
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/npm/node_modules/brace-expansion

ip-address  <=10.1.0
Severity: moderate
ip-address has XSS in Address6 HTML-emitting methods - https://github.com/advisories/GHSA-v2v4-37r5-5v8g
fix available via `npm audit fix`
node_modules/npm/node_modules/ip-address

picomatch  4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/npm/node_modules/picomatch

3 vulnerabilities (2 moderate, 1 high)

To address all issues, run:
  npm audit fix
/data $ 

We are stuck with npm 10 for node-red 4.x as we require support for node.js 18

NR 5 has already been updated to include npm 11.

I had hoped npm would be have shipped a maintenance release on the 10x stream by now to pickup these upstream dependencies.

NR 5?!?! I just updated to latest version 4.1.10

Do I even need a separate global npm for nr docker container? Sure I can select version like 11, but vulnerability of 10 still exist for nr npm. Ai was adamant I should not rely on it, but I use it pretty much for same purposes as palette manager. Perhaps the node 22 base image includes global npm anyways?

If you are using Node-RED via Docker, you update the container, not use npm separately - for anything installed into the container.

For the palette, if installing via palette manager, it uses Node-RED's internal npm. If installing manually from outside Node-RED, you run native npm on your host OS.

My personal opinion is that running Node-RED inside its own container is more bother than it is worth. As long as you are happy to install node.js into your host OS, it is easier to install Node-RED to the OS via npm and then you can update it the same way.

In terms of the warnings, NEVER run the npm audit "fix" at it will almost certainly break something important.

You can read audit logs and see whether it breaks. Often audit fix won't break anything because breaking changes are not enabled by default, needing force flag or something to do that. If anything breaks, it's a simple rollback anyways (ideally it breaks so hard we notice it).

Curious about not using npm. Because since nr is all about developing in production, the normal release is kinda inverted. We install alot of stuff inside the container. Bonus is it is quick with minimal to no downtime. Downside is it complicates release/upgrades. We use bind mount to persist.

The trouble is that it is often not obvious what is being broken. For example, I find that it is common for it to suggest a downgrade, sometimes quite significant. This often will break things but it won't be obvious. In other cases, it commonly recommends new major version uplifts and again, these can seriously break things.

Only if you understand what it is doing. The problem is, even as an "expert", it is very often not clear what impact changes will have or how they might manifest. For anyone not an expert in node.js and npm, it is an impossible task which is why, in this forum, I always recommend NOT doing it unless you really understand the impacts and consequences. In general, except for people in tightly-controlled, secure environments, the impacts of the various security issues are minor anyway and it is all too easy to go too far. (And this coming from someone who is certifiably paranoid!)

Production containers for something as fast-changing as a node.js environment can be may require significant support and development effort. OK, if you have the commercial setup to manage it. For anyone using Node-RED in a personal environment, the overheads simply aren't worth it.

Also, having a complete Node-RED setup, including nodes, in a container means that the node list is fairly set in stone. This can be a good thing for commercial environments of course, but again, a pain where more flexibility is required.

Commercial, production use of Node.js apps is a very different proposition to other uses. When asking for help in the forum, it is best to make clear what type of environment you are working with.

If I were working in an environment like yours and needed to service many customers, I would certainly have a Continuous Deployment service set up along side dev/test/live environments. With probably several test environments up to pre-production, client-facing test environments where at least some trusted clients could test changes before live deployment.

That service would also include a range of continuous security tests. I would likely also have periodic cyber penetration tests. All somewhat dependent on the value and cost of course.

Personally, I would be extremely cautious about deploying something like node-red into a sensitive environment (health, critical infrastructure, etc). It adds an awful lot of attack surface area that may not be especially well understood in detail.

But I'm drifting off-topic of course.

Back to the original topic, I stand by my original assessment in general, don't do npm audits unless you know what you are doing, have a specific security requirement, and have the resources to deeply check the impacts.

By the way, UIBUILDER also uses npm for managing front-end libraries. However, it makes the assumption that you won't be likely to be using Node-RED in any scenario where you would also want to install front-end libraries without already having npm installed. So it uses your already installed version, not a separate instance. In fact, it uses a command shell since, from the earliest days, npm always said that their API was subject to unannounced changes. I think that has changed somewhat now and maybe UIBUILDER will also change in the future, but so far, nobody has complained.