SK
Signal K•2mo ago
Tore Dahl

Tore Dahl - Trying to sort out vulnerabilities ...

Trying to sort out vulnerabilities using npm audit.... I find the following a bit confusing... SignalK reports charts-plugin at version 3.1.1, screenshot 1 While npm audit files this opinion, second screenshot Stating it can install 3.1.1 as a breaking change if told to force it, I have not done that.... I simply do not understand 🙂 Anyone who can explain?
No description
No description
1 Reply
Tore Dahl
Tore DahlOP•2mo ago
More on the same theme... Node-Red versions Installed according to npm -v @signalk/signalk-node-red@3.2.1 | Apache-2.0 | deps: 5 | versions: 42 Combine Node-RED with Signal K data https://github.com/SignalK/signalk-node-red#readme keywords: signalk-node-server-plugin, signalk-webapp dist .tarball: https://registry.npmjs.org/@signalk/signalk-node-red/-/signalk-node-red-3.2.1.tgz .shasum: 8cb5bdb9e33dbfe4186bc34a89166a6bcc9b034f .integrity: sha512-sO1PUxRTLKLnUDnMo38hAepdnYrY94GWntAYuQl+MK5MC7EhzIQInH0ULte17Rl6ekiV//scveSI6ofqEaWWpA== .unpackedSize: 37.9 kB dependencies: @signalk/node-red-embedded: 2.18.x lodash: ^4.17.4 compare-versions: ^3.0.1 node-red: 3.1.x geodist: ^0.2.1 maintainers: - tkurki <teppo.kurki@iki.fi> - sbender <scott@scottbender.net> dist-tags: latest: 3.2.1 _ npm audit output npm audit report form-data 4.0.0 - 4.0.3 Severity: critical form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4 fix available via npm audit fix --force Will install @signalk/signalk-node-red@2.11.0, which is a breaking change node_modules/form-data @node-red/nodes <=4.1.0-beta.2 Depends on vulnerable versions of form-data Depends on vulnerable versions of on-headers node_modules/@node-red/nodes node-red 0.20.0-beta.2 - 4.1.0-beta.2 Depends on vulnerable versions of @node-red/editor-api Depends on vulnerable versions of @node-red/nodes node_modules/node-red @signalk/signalk-node-red >=2.12.0 Depends on vulnerable versions of node-red node_modules/@signalk/signalk-node-red And one that did not fit. To address all issues (including breaking changes), run: npm audit fix --force

Did you find this page helpful?