Node-red-node-email vulnerabilities

[VentuFr]

When I install node-red-node-email using npm, the installer show 4 moderate severity vulnerabilities

npm i node-red-node-email
added 1 package, and audited 103 packages in 4s

11 packages are looking for funding
run npm fund for details

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

Run npm audit for details.

npm audit fix --force did not fix it.

npm audit

npm audit report

semver <5.7.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
fix available via npm audit fix --force
Will install node-red-node-email@0.1.12, which is a breaking change
node_modules/node-red-node-email/node_modules/semver
utf7 >=1.0.2
Depends on vulnerable versions of semver
node_modules/node-red-node-email/node_modules/utf7
imap >=0.8.18
Depends on vulnerable versions of utf7
node_modules/node-red-node-email/node_modules/imap
node-red-node-email >=0.1.13
Depends on vulnerable versions of imap
node_modules/node-red-node-email

4 moderate severity vulnerabilities

There is a way to fix these vulnerabilities?

• Node-RED version: 3.1.9
• node.js version: 20.12.2
• npm version: 10.6.0
• Platform/OS: Windows
• Browser: Firefox

[hardillb]

All the node-red-node-email dependencies are already at the latest versions. Until upstream releases are available there is nothing to do here.

[VentuFr]

I solved the problem, I've updated manually the semver contains in the directory C:\Users\myuser.node-red\node_modules\node-red-node-email\node_modules\semver to the last version.
Who can update the semver release contains into the npm node-red-node-email package?

[hardillb]

Updating just semver is not the problem, it's the chain of nodes that end up depending on it.

npm ls semver
nr-email@ /home/hardillb/temp/nr-email
└─┬ node-red-node-email@2.2.1
  └─┬ imap@0.8.19
    └─┬ utf7@1.0.2
      └── semver@5.3.0

The point is that there needs to be a new version of utf7, which needs to be included in a new version of imap, which we can then set as the required version for node-red-node-email.

(Side note the last update to the imap package was over 7 years ago, and utf7 was over 8 years ago)

[hardillb]

Also a quick read of the code for utf7 (https://www.npmjs.com/package/utf7?activeTab=code) shows that it is only ever used with to test that the version of NodeJS it's running on is newer than v6.0.0.

I STRONGLY suspect that if you look up the CVE that the warning message is pointing at that it is not exploitable via this code path and the whole warning is actually meaningless

[VentuFr]

Below you can see what I did to fix it.
Let me know if I did something wrong. I just started using node-red and this is my first experience.

I've update the semver contains in the directory C:\Users\myuser\node-red\node_modules\node-red-node-email\node_modules\semver to version 7.6.2

I've edit C:\Users\myuser\node_modules\node-red-node-email\node_modules\utf7\package.json. I changed
"dependencies": {
"semver": "5.3.0"
},

to

"dependencies": {
"semver": "7.6.2"
},

than I run

npm update

changed 2 packages, and audited 174 packages in 18s

27 packages are looking for funding
run npm fund for details

found 0 vulnerabilities

npm ls semver
ventu@ C:\Users\ventu
+-- node-red-contrib-ui-svg@2.3.3
| -- js-beautify@1.15.1 | -- editorconfig@1.0.4
| -- semver@7.6.2 deduped +-- node-red-node-email@2.2.1 | -- imap@0.8.19
| -- utf7@1.0.2 | -- semver@7.6.2
`-- semver@7.6.2

npm audit
found 0 vulnerabilities

[hardillb]

We can't charge that file, it's not owned/provided by the node-red team.

As I've said, that file needs to be updated by the utf7 project