Security vulnerabilities in child dependencies

How can I report and track vulnerabilities related to dependencies of the Node-RED project? My organization uses OWASP Dependency-Check to scan our projects for vulnerabilities. This is flagging the css-what dependency, which is a grandchild dependency of node-red.

+-- node-red@1.3.4
| +-- @node-red/nodes@1.3.4
| | +-- cheerio@0.22.0
| | | +-- css-select@1.2.0
| | | | +-- css-what@2.1.3

On Github there is documentation for reporting security vulnerabilities, but I figure that is for reporting security vulnerabilities in the Node-RED source code, rather than a dependency. Since I cannot override the version of css-what that gets resolved in the dependency tree it would be useful to know if/when Node-RED will upgrade the necessary dependencies to non-vulnerable versions.

Fix in dev branch - Update to latest cheerio module · node-red/node-red@dbbdd3f · GitHub

Great! Is this expected to land in the next release? At a glance it looks like it is slated for 2.0

The vulnerable package is three levels deep so it partly depends on what the intermediate modules choose to do about it.

The update to the cheerio module is a major version change. As it stands, it is slated for the imminent 2.0 release.

We may be able to back port the fix to the 1.x branch - it depends on whether we've successfully coded around the api changes in the cheerio module. Given we only found out about the issue earlier today, it's too early to say.

I see, at this point I'm just gathering information to bring back to the product stakeholders at my organization so that we can document and justify the existence of this vulnerability in the product we ship. There is no expectation for the fix to be available immediately. I will check back periodically to see when the "cheerio" upgrade lands. Thank you!

For more context, the cheerio module is only used in the HTML node. So the vulnerability is only possibly relevant if you are using that node. Even then, it will depend on the very specific scenario of the vulnerability to know if it's even possible to exercise from within Node-RED. Again, all too early to say. Given the limited resources we have, I'm not sure how much more we will be able to say given it'll be resolved in 2.0.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.