Hi folks,
I have been running some tests with the latest beta image and notice there are some vulnerabilities in npm packages that have available updates. Would these packages get updated prior to general release of this version?
These are the ones I'm seeing after scanning the docker build:
package: form-data 4.0.2, fix available in form-data 4.0.4
critical vulnerability found: NVD - CVE-2025-7783
package: multer v2.0.1, fix available in v2.0.2
high vulnerability found: NVD - CVE-2025-7338
Hi and Welcome,
Fixed for v4.1: Bump dependencies by knolleary Ā· Pull Request #5224 Ā· node-red/node-red Ā· GitHub
Good spot, and thanks for raising.
FWIW, the PR was raised and merged 3 days before the OP posted 
But as @TotallyInformation said, thanks for raising - sometimes things do get missed (just not this time)
I have to say that bumping dependencies is one of the last things I do before creating a new release & publishing. Update the dependencies, run final tests and create a release then publish.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarksā¢ or registeredĀ® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy