There is a compromised dependency drawn into Node-RED. ( Malware in debug · GHSA-8mgj-vmr8-frr6 · GitHub Advisory Database · GitHub )
How can I avoid installing this dependency?
1 Like
You need to check what version. I've just done a check on my up-to-date installation and got this:
As you can see, there are various versions of debug but none newer than 4.4.1.
4.4.2 is the corrupted version.
@knolleary, @Steve-Mcl, @dceejay, @joepavitt - tagging you guys because it isn't only debug, quite a number of high-profile npm packages have been compromised in a new supply-chain hack.
1 Like
4.4.2 should get pulled soon I would think (hope)
as above - the version I have in my projects (node red or otherwise) is 4.4.1
It is pulled already.
3 Likes
Can I check, is the main node-red repo protected with dependabot and snyk?
I've also added a requirement for signed git commits to uibuilder as well as those 2 + a couple of other security/code quality checks.
It is worth getting snyk on the case as well.
Hi @augjoh, hope you don't mind but I've re-titled the post because it is clear that Node-RED has not been compromised with this supply-chain mega-hack.
I can also confirm that none of my active nodes including uibuilder and moment are impacted, neither is my web-components library.
Here you go peeps.
The infected versions - to check if you have any of them.
npm ls "backslash@0.2.1" "chalk-template@1.1.1" "supports-hyperlinks@4.1.1" "has-ansi@6.0.1" "simple-swizzle@0.2.3" "color-string@2.1.1" "error-ex@1.3.3" "color-name@2.0.1" "is-arrayish@0.3.3" "slice-ansi@7.1.1" "color-convert@3.1.1" "wrap-ansi@9.0.1" "ansi-regex@6.2.1" "supports-color@10.2.1" "strip-ansi@7.1.1" "chalk@5.6.1" "debug@4.4.2" "ansi-styles@6.2.2"
and just to test (I tested for a none infected version)
marcusdavies@Marcuss-Mini untitled folder % npm ls "backslash@0.2.1" "chalk-template@1.1.1" "supports-hyperlinks@4.1.1" "has-ansi@6.0.1" "simple-swizzle@0.2.3" "color-string@2.1.1" "error-ex@1.3.3" "color-name@2.0.1" "is-arrayish@0.3.3" "slice-ansi@7.1.1" "color-convert@3.1.1" "wrap-ansi@9.0.1" "ansi-regex@6.2.1" "supports-color@10.2.1" "strip-ansi@7.1.1" "chalk@5.6.1" "debug@4.4.1" "ansi-styles@6.2.2"
untitled folder@ /Users/marcusdavies/Desktop/untitled folder
├─┬ node-red-contrib-zwave-js@10.0.0 extraneous
│ ├─┬ @alcalzone/jsonl-db@3.1.1 extraneous
│ │ └─┬ alcalzone-shared@4.0.8 extraneous
│ │ └── debug@4.4.1 deduped
│ ├─┬ @eslint/config-array@0.21.0 extraneous
│ │ └── debug@4.4.1 deduped
│ ├─┬ @eslint/eslintrc@3.3.1 extraneous
│ │ └── debug@4.4.1 deduped
│ ├─┬ @homebridge/ciao@1.3.4 extraneous
│ │ └── debug@4.4.1 deduped
│ ├─┬ @iconify/utils@2.3.0 extraneous
│ │ └── debug@4.4.1 deduped
│ ├─┬ @serialport/binding-mock@10.2.2 extraneous
│ │ └── debug@4.4.1 deduped
│ ├── debug@4.4.1 extraneous
│ └─┬ eslint@9.34.0 extraneous
│ └── debug@4.4.1 deduped
└─┬ node-red@4.1.0
├─┬ @node-red/editor-api@4.1.0
│ └─┬ memorystore@1.6.7
│ └── debug@4.4.1
└─┬ @node-red/nodes@4.1.0
├─┬ https-proxy-agent@5.0.1
│ ├─┬ agent-base@6.0.2
│ │ └── debug@4.4.1
│ └── debug@4.4.1
└─┬ mqtt@5.11.0
├── debug@4.4.1
├─┬ mqtt-packet@9.0.2
│ └── debug@4.4.1
└─┬ number-allocator@1.0.14
└── debug@4.4.1
marcusdavies@Marcuss-Mini untitled folder %
2 Likes
What happens to node-red versions that have dependencies that have vulnerabilities? Are they marked as deprecated or removed from npm?
I don't believe that dependabot checks old releases to be honest. So I doubt they would be picked up. I think that you can submit multiple branches to Snyk for testing but again, not sure it keeps testing if you haven't pushed any updates to the branch.
Nice, don't forget to also check -g for global packages. UIBUILDER has its own packages you can install too so you may need to separately check the uibRoot, especially if you've moved it from its default location.
1 Like
