zachowj
bonjour dependency is unmaintained and insecure
Describe the bug
This project has a dependency on the npmjs package bonjour v3.5.0.
Unfortunately, that project is no longer maintained, and has a number of security vulnerabilities: https://github.com/watson/bonjour/issues/78
An installation of node-red-contrib-home-assistant-websocket triggers npm audit warnings because of dependencies from bonjour->multicast-dns->dns-packet->ip, which has a high severity security vulnerability.
Updating ip/dns-packet/multicast-dns would require updates to the bonjour package, which isn't happening right now.
However, according to the GitHub issue above, there is a drop-in replacement package, bonjour-service, which is being maintained, and has upgraded dependencies compared to bonjour.
To Reproduce
- Install the package into a nodejs environment.
- Run
npm audit
Receive:
ip *
Severity: high
ip SSRF improper categorization in isPublic - https://github.com/advisories/GHSA-2p57-rm9w-gvfp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/ip
dns-packet <=5.2.4
Depends on vulnerable versions of ip
node_modules/dns-packet
multicast-dns 6.0.0 - 7.2.2
Depends on vulnerable versions of dns-packet
node_modules/multicast-dns
bonjour >=3.3.1
Depends on vulnerable versions of multicast-dns
node_modules/bonjour
node-red-contrib-home-assistant-websocket >=0.19.4-dev.119505248
Depends on vulnerable versions of bonjour
node_modules/node-red-contrib-home-assistant-websocket
5 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
nodered@persephone:~/nodered$
Expected behavior
No response
Screenshots
No response
Example Flow
Environment Information
Version: 0.75.0
Home Assistant version: 2024.12.5 Companion version: 4.1.2
Node-RED version: 4.0.8-git Docker: no Add-on: no
Node.js version: v22.13.1 x64 linux OS: Linux 6.8.0-55-generic x64
Additional context
No response
