You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This project has a dependency on the npmjs package bonjour v3.5.0.
Unfortunately, that project is no longer maintained, and has a number of security vulnerabilities: watson/bonjour#78
An installation of node-red-contrib-home-assistant-websocket triggers npm audit warnings because of dependencies from bonjour->multicast-dns->dns-packet->ip, which has a high severity security vulnerability.
Updating ip/dns-packet/multicast-dns would require updates to the bonjour package, which isn't happening right now.
However, according to the GitHub issue above, there is a drop-in replacement package, bonjour-service, which is being maintained, and has upgraded dependencies compared to bonjour.
To Reproduce
Install the package into a nodejs environment.
Run npm audit
Receive:
ip *
Severity: high
ip SSRF improper categorization in isPublic - https://github.com/advisories/GHSA-2p57-rm9w-gvfp
fix available via `npm audit fix --force`
Will install bonjour@3.3.0, which is a breaking change
node_modules/ip
dns-packet <=5.2.4
Depends on vulnerable versions of ip
node_modules/dns-packet
multicast-dns 6.0.0 - 7.2.2
Depends on vulnerable versions of dns-packet
node_modules/multicast-dns
bonjour >=3.3.1
Depends on vulnerable versions of multicast-dns
node_modules/bonjour
node-red-contrib-home-assistant-websocket >=0.19.4-dev.119505248
Depends on vulnerable versions of bonjour
node_modules/node-red-contrib-home-assistant-websocket
5 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
nodered@persephone:~/nodered$
Expected behavior
No response
Screenshots
No response
Example Flow
Environment Information
Version: 0.75.0
Home Assistant version: 2024.12.5
Companion version: 4.1.2
Node-RED version: 4.0.8-git
Docker: no
Add-on: no
Node.js version: v22.13.1 x64 linux
OS: Linux 6.8.0-55-generic x64
Additional context
No response
The text was updated successfully, but these errors were encountered:
Describe the bug
This project has a dependency on the npmjs package bonjour v3.5.0.
Unfortunately, that project is no longer maintained, and has a number of security vulnerabilities:
watson/bonjour#78
An installation of node-red-contrib-home-assistant-websocket triggers npm audit warnings because of dependencies from bonjour->multicast-dns->dns-packet->ip, which has a high severity security vulnerability.
Updating ip/dns-packet/multicast-dns would require updates to the bonjour package, which isn't happening right now.
However, according to the GitHub issue above, there is a drop-in replacement package, bonjour-service, which is being maintained, and has upgraded dependencies compared to bonjour.
To Reproduce
npm auditReceive:
Expected behavior
No response
Screenshots
No response
Example Flow
Environment Information
Version: 0.75.0
Home Assistant version: 2024.12.5
Companion version: 4.1.2
Node-RED version: 4.0.8-git
Docker: no
Add-on: no
Node.js version: v22.13.1 x64 linux
OS: Linux 6.8.0-55-generic x64
Additional context
No response
The text was updated successfully, but these errors were encountered: