-
Notifications
You must be signed in to change notification settings - Fork 593
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Node-red-node-email vulnerabilities #1064
Comments
All the node-red-node-email dependencies are already at the latest versions. Until upstream releases are available there is nothing to do here. |
I solved the problem, I've updated manually the semver contains in the directory C:\Users\myuser.node-red\node_modules\node-red-node-email\node_modules\semver to the last version. |
Updating just
The point is that there needs to be a new version of utf7, which needs to be included in a new version of imap, which we can then set as the required version for node-red-node-email. (Side note the last update to the imap package was over 7 years ago, and utf7 was over 8 years ago) |
Also a quick read of the code for utf7 (https://www.npmjs.com/package/utf7?activeTab=code) shows that it is only ever used with to test that the version of NodeJS it's running on is newer than v6.0.0. I STRONGLY suspect that if you look up the CVE that the warning message is pointing at that it is not exploitable via this code path and the whole warning is actually meaningless |
Below you can see what I did to fix it. I've update the semver contains in the directory C:\Users\myuser\node-red\node_modules\node-red-node-email\node_modules\semver to version 7.6.2 I've edit C:\Users\myuser\node_modules\node-red-node-email\node_modules\utf7\package.json. I changed to "dependencies": { than I run npm update changed 2 packages, and audited 174 packages in 18s 27 packages are looking for funding found 0 vulnerabilities npm ls semver npm audit |
We can't charge that file, it's not owned/provided by the node-red team. As I've said, that file needs to be updated by the |
When I install node-red-node-email using npm, the installer show 4 moderate severity vulnerabilities
npm i node-red-node-email
added 1 package, and audited 103 packages in 4s
11 packages are looking for funding
run
npm fund
for details4 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run
npm audit
for details.npm audit fix --force did not fix it.
npm audit
npm audit report
semver <5.7.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
fix available via
npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/node-red-node-email/node_modules/semver
utf7 >=1.0.2
Depends on vulnerable versions of semver
node_modules/node-red-node-email/node_modules/utf7
imap >=0.8.18
Depends on vulnerable versions of utf7
node_modules/node-red-node-email/node_modules/imap
node-red-node-email >=0.1.13
Depends on vulnerable versions of imap
node_modules/node-red-node-email
4 moderate severity vulnerabilities
There is a way to fix these vulnerabilities?
The text was updated successfully, but these errors were encountered: