node-red-nodes icon indicating copy to clipboard operation
node-red-nodes copied to clipboard

Published 20 hours ago verified publisher icon node-red

MongoDB node dependency issue

Open BlackWild opened this issue 5 years ago • 1 comments

There is a dependency problem with node-red-nodes-mongodb node (latest version, 0.0.14).

The problem is that this version has "mongodb" : "^2.2.34" as it's dependency but according to this link, that version is vulnerable to Denial of Service attack and advises to upgrade mongodb version to 3.1.13 or later.

After installing node-red-nodes-mongodb (using npm i node-red-nodes-mongodb) running npm audit returns:

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  High            Denial of Service

  Package         mongodb

  Patched in      >=3.1.13

  Dependency of   node-red-node-mongodb

  Path            node-red-node-mongodb > mongodb

  More info       https://npmjs.com/advisories/1203

I was wondering if developers would check if it is possible to update the dependency of the mongodb node package!

  • Node-RED version: 1.0.6
  • node.js version: 12.17.0
  • npm version: 6.16.4
  • node-red-nodes-mongodb version: 0.0.14

BlackWild avatar Jun 02 '20 11:06 BlackWild

or indeed a tested pull request would be most welcome.

dceejay avatar Jun 02 '20 11:06 dceejay