Hi folks,
I have been running some tests with the latest beta image and notice there are some vulnerabilities in npm packages that have available updates. Would these packages get updated prior to general release of this version?
These are the ones I'm seeing after scanning the docker build:
package: form-data 4.0.2, fix available in form-data 4.0.4
critical vulnerability found: NVD - CVE-2025-7783
package: multer v2.0.1, fix available in v2.0.2
high vulnerability found: NVD - CVE-2025-7338
1 Like
Good spot, and thanks for raising.
1 Like
FWIW, the PR was raised and merged 3 days before the OP posted 

But as @TotallyInformation said, thanks for raising - sometimes things do get missed (just not this time)
I have to say that bumping dependencies is one of the last things I do before creating a new release & publishing. Update the dependencies, run final tests and create a release then publish.
1 Like
Hello
Thanks for the 4.1 release.
Is it planned to backport the security fix of 4.1.x to 4.0.x branch ?
It was done for 3.1.x when 4.0 has started, I am wondering if it will be done for 4.0.x or if move to 4.1.x is mandatory to get the updates..
(FYI, I am thinking to switch to 4.1.x, but due to telemetry addition I need to check if there could be GDPR or other legal impacts related to data collection before switching.)
BR
Stephane
Hi @SLESTM
The 4.1 stream replaces 4.0 - we don’t plan to back port fixes to 4.0.9.
You can disable the telemetry feature via the settings file, or when you first run Node-RED and it asks in the editor. NR will not send anything back until it knows one way or another your choice.
Full details are in the docs: Usage Telemetry : Node-RED
Ok thanks a lot for the information. I will move to 4.1