Vulnerabilties in v4.1.0-beta.2

Hi folks,

I have been running some tests with the latest beta image and notice there are some vulnerabilities in npm packages that have available updates. Would these packages get updated prior to general release of this version?

These are the ones I'm seeing after scanning the docker build:

package: form-data 4.0.2, fix available in form-data 4.0.4
critical vulnerability found: NVD - CVE-2025-7783

package: multer v2.0.1, fix available in v2.0.2
high vulnerability found: NVD - CVE-2025-7338

Hi and Welcome,
Fixed for v4.1: Bump dependencies by knolleary · Pull Request #5224 · node-red/node-red · GitHub

Good spot, and thanks for raising.

FWIW, the PR was raised and merged 3 days before the OP posted

But as @TotallyInformation said, thanks for raising - sometimes things do get missed (just not this time)

I have to say that bumping dependencies is one of the last things I do before creating a new release & publishing. Update the dependencies, run final tests and create a release then publish.

Hello

Thanks for the 4.1 release.

Is it planned to backport the security fix of 4.1.x to 4.0.x branch ?

It was done for 3.1.x when 4.0 has started, I am wondering if it will be done for 4.0.x or if move to 4.1.x is mandatory to get the updates..

(FYI, I am thinking to switch to 4.1.x, but due to telemetry addition I need to check if there could be GDPR or other legal impacts related to data collection before switching.)

BR

Stephane

Hi @SLESTM

The 4.1 stream replaces 4.0 - we don’t plan to back port fixes to 4.0.9.

You can disable the telemetry feature via the settings file, or when you first run Node-RED and it asks in the editor. NR will not send anything back until it knows one way or another your choice.

Full details are in the docs: Usage Telemetry : Node-RED

Ok thanks a lot for the information. I will move to 4.1