node-red-nodes
node-red-nodes copied to clipboard
node-red
Node-red-node-email vulnerabilities
When I install node-red-node-email using npm, the installer show 4 moderate severity vulnerabilities
npm i node-red-node-email added 1 package, and audited 103 packages in 4s
11 packages are looking for funding
run npm fund for details
4 moderate severity vulnerabilities
To address all issues (including breaking changes), run: npm audit fix --force
Run npm audit for details.
npm audit fix --force did not fix it.
npm audit
npm audit report
semver <5.7.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/node-red-node-email/node_modules/semver
utf7 >=1.0.2
Depends on vulnerable versions of semver
node_modules/node-red-node-email/node_modules/utf7
imap >=0.8.18
Depends on vulnerable versions of utf7
node_modules/node-red-node-email/node_modules/imap
node-red-node-email >=0.1.13
Depends on vulnerable versions of imap
node_modules/node-red-node-email
4 moderate severity vulnerabilities
There is a way to fix these vulnerabilities?
- [ ] Node-RED version: 3.1.9
- [ ] node.js version: 20.12.2
- [ ] npm version: 10.6.0
- [ ] Platform/OS: Windows
- [ ] Browser: Firefox
All the node-red-node-email dependencies are already at the latest versions. Until upstream releases are available there is nothing to do here.
I solved the problem, I've updated manually the semver contains in the directory C:\Users\myuser.node-red\node_modules\node-red-node-email\node_modules\semver to the last version. Who can update the semver release contains into the npm node-red-node-email package?
Updating just semver is not the problem, it's the chain of nodes that end up depending on it.
npm ls semver
nr-email@ /home/hardillb/temp/nr-email
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
The point is that there needs to be a new version of utf7, which needs to be included in a new version of imap, which we can then set as the required version for node-red-node-email.
(Side note the last update to the imap package was over 7 years ago, and utf7 was over 8 years ago)
Also a quick read of the code for utf7 (https://www.npmjs.com/package/utf7?activeTab=code) shows that it is only ever used with to test that the version of NodeJS it's running on is newer than v6.0.0.
I STRONGLY suspect that if you look up the CVE that the warning message is pointing at that it is not exploitable via this code path and the whole warning is actually meaningless
Below you can see what I did to fix it. Let me know if I did something wrong. I just started using node-red and this is my first experience.
I've update the semver contains in the directory C:\Users\myuser\node-red\node_modules\node-red-node-email\node_modules\semver to version 7.6.2
I've edit C:\Users\myuser\node_modules\node-red-node-email\node_modules\utf7\package.json. I changed "dependencies": { "semver": "5.3.0" },
to
"dependencies": { "semver": "7.6.2" },
than I run
npm update
changed 2 packages, and audited 174 packages in 18s
27 packages are looking for funding
run npm fund for details
found 0 vulnerabilities
npm ls semver
ventu@ C:\Users\ventu
+-- [email protected]
| -- [email protected] | -- [email protected]
| -- [email protected] deduped +-- [email protected] | -- [email protected]
| -- [email protected] | -- [email protected]
`-- [email protected]
npm audit found 0 vulnerabilities
We can't charge that file, it's not owned/provided by the node-red team.
As I've said, that file needs to be updated by the utf7 project