Open VentuFr opened 1 month ago
All the node-red-node-email dependencies are already at the latest versions. Until upstream releases are available there is nothing to do here.
I solved the problem, I've updated manually the semver contains in the directory C:\Users\myuser.node-red\node_modules\node-red-node-email\node_modules\semver to the last version. Who can update the semver release contains into the npm node-red-node-email package?
Updating just semver
is not the problem, it's the chain of nodes that end up depending on it.
npm ls semver
nr-email@ /home/hardillb/temp/nr-email
└─┬ node-red-node-email@2.2.1
└─┬ imap@0.8.19
└─┬ utf7@1.0.2
└── semver@5.3.0
The point is that there needs to be a new version of utf7, which needs to be included in a new version of imap, which we can then set as the required version for node-red-node-email.
(Side note the last update to the imap package was over 7 years ago, and utf7 was over 8 years ago)
Also a quick read of the code for utf7 (https://www.npmjs.com/package/utf7?activeTab=code) shows that it is only ever used with to test that the version of NodeJS it's running on is newer than v6.0.0.
I STRONGLY suspect that if you look up the CVE that the warning message is pointing at that it is not exploitable via this code path and the whole warning is actually meaningless
Below you can see what I did to fix it. Let me know if I did something wrong. I just started using node-red and this is my first experience.
I've update the semver contains in the directory C:\Users\myuser\node-red\node_modules\node-red-node-email\node_modules\semver to version 7.6.2
I've edit C:\Users\myuser\node_modules\node-red-node-email\node_modules\utf7\package.json. I changed "dependencies": { "semver": "5.3.0" },
to
"dependencies": { "semver": "7.6.2" },
than I run
npm update
changed 2 packages, and audited 174 packages in 18s
27 packages are looking for funding
run npm fund
for details
found 0 vulnerabilities
npm ls semver
ventu@ C:\Users\ventu
+-- node-red-contrib-ui-svg@2.3.3
| -- js-beautify@1.15.1 |
-- editorconfig@1.0.4
| -- semver@7.6.2 deduped +-- node-red-node-email@2.2.1 |
-- imap@0.8.19
| -- utf7@1.0.2 |
-- semver@7.6.2
`-- semver@7.6.2
npm audit found 0 vulnerabilities
We can't charge that file, it's not owned/provided by the node-red team.
As I've said, that file needs to be updated by the utf7
project
When I install node-red-node-email using npm, the installer show 4 moderate severity vulnerabilities
npm i node-red-node-email added 1 package, and audited 103 packages in 4s
11 packages are looking for funding run
npm fund
for details4 moderate severity vulnerabilities
To address all issues (including breaking changes), run: npm audit fix --force
Run
npm audit
for details.npm audit fix --force did not fix it.
npm audit
npm audit report
semver <5.7.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw fix available via
npm audit fix --force
Will install node-red-node-email@0.1.12, which is a breaking change node_modules/node-red-node-email/node_modules/semver utf7 >=1.0.2 Depends on vulnerable versions of semver node_modules/node-red-node-email/node_modules/utf7 imap >=0.8.18 Depends on vulnerable versions of utf7 node_modules/node-red-node-email/node_modules/imap node-red-node-email >=0.1.13 Depends on vulnerable versions of imap node_modules/node-red-node-email4 moderate severity vulnerabilities
There is a way to fix these vulnerabilities?