Node red error messages at startup

After upgrading Node Red, i (once again) get a lot of interresting messages in the log.
These are e.g:

  1. found 27 vulnerabilities (1 low, 12 moderate, 14 high). run npm audit fix to fix them, or npm audit for details
  2. npm WARN [email protected] requires a peer of [email protected] - 3 but none is installed. You must install peer dependencies yourself.
  3. nginx: [alert] detected a LuaJIT version which is not OpenResty’s;
    But… How do I fix them?
    When I try to fix them, the “fix” usually fails, or it has no effect.
    I, like many of us HA Core users in here, am an amateur when it comes to linux (Debian in my case), docker and a lot more. So a little more detailed descriptions would be very much appreciated!

Those are all generated from npm which has nothing to do with Linux, Docker, or HA at all. You can safely ignore the npm warnings OR you can audit and try to fix them by checking the output from audit and manually install the packages that are marked.

The other route would be to wipe the NodeRed install and use the bash installer that they have here:

I’m running the latest nodeRED with only the websocket plugin and don’t have any vulnerabilities:

cd ~/.node-red
npm audit

                       === npm audit security report ===

found 0 vulnerabilities
 in 233 scanned packages

I would remove any packages you are not using the ‘pallette manager’

Can you please explain to me why is it safe to ignore warnings about vulnerabilities? I usually take them seriously but am not familiar with the inner workings of NodeJS.

Because many of the vulnerabilities that are listed out by npm typically are due to badly configured packages and older CVS reports that don’t get updated quick enough. It will also report out vulnerabilities for referenced packages that may not even be referenced in package.json from time to time (due to how nodeJs does references to other packages).

Unless something really sticks out, then 9 times out of 10, the npm audit can be ignored in terms of what it considers vulnerabilities. The audit command has always been problematic (ever since the 1.x days) in terms of what it reports as a vulnerability.

Personally, once a month I go through CVS reports, see what applies to my version of nodeJs and manually update (or remove) any packages that are considered critical. I never, ever use audit because of how flaky it is.


Great explanation, thank very much. :slight_smile: