Lots of Node-RED security warnings when building

[terrillmoore]

The security audits complain when building node-red latest. Looks like node-red-contrib-ttn is not up-to-date on core-js. Not sure what has to be done for that, either, because that repo is marked "archived" (read-only).

npm audit fix takes care of the influxdb vulnerability.

Here's the log.

Step 3/10 : RUN npm install node-red-contrib-influxdb
 ---> Running in dec6e7b649ce
npm notice created a lockfile as package-lock.json. You should commit this file.
+ [email protected]
added 3 packages from 6 contributors and audited 1299 packages in 2.543s
found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details
Removing intermediate container dec6e7b649ce
 ---> df34c3998f06
Step 4/10 : RUN npm install node-red-contrib-ttn
 ---> Running in e57b6726bc5d
npm WARN deprecated [email protected]: core-js@<3.0 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.

> [email protected] install /usr/src/node-red/node_modules/grpc
> node-pre-gyp install --fallback-to-build --library=static_library

node-pre-gyp WARN Using request for node-pre-gyp https download
[grpc] Success: "/usr/src/node-red/node_modules/grpc/src/node/extension_binary/node-v64-linux-x64-musl/grpc_node.node" is installed via remote

> [email protected] postinstall /usr/src/node-red/node_modules/core-js
> node postinstall || echo "ignore"

Thank you for using core-js ( https://github.com/zloirock/core-js ) for polyfilling JavaScript standard library!

The project needs your help! Please consider supporting of core-js on Open Collective or Patreon:
> https://opencollective.com/core-js
> https://www.patreon.com/zloirock

Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -)

+ [email protected]
added 117 packages from 133 contributors and audited 2086 packages in 11.498s
found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details
Removing intermediate container e57b6726bc5d
 ---> a8d8fae80f04
Step 5/10 : ARG NODERED_INSTALL_PLUGINS
 ---> Running in e70f436c5f0e
Removing intermediate container e70f436c5f0e
 ---> 53b297a28874
Step 6/10 : RUN /bin/bash -c 'for iPkg in "$@" ; do echo "npm install $iPkg" ; npm install "$iPkg" || { echo "couldnt install: $iPkg" ; exit 1 ; } ; done' -- ${NODERED_INSTALL_PLUGINS}
 ---> Running in 93a8e3c67a5c
Removing intermediate container 93a8e3c67a5c
 ---> 609372191067
Step 7/10 : RUN npm audit fix
 ---> Running in 59d5bf55cdf2
up to date in 1.939s
fixed 0 of 1 vulnerability in 2086 scanned packages
  1 vulnerability required manual review and could not be updated

[terrillmoore]

Ah, the connector is now deprecated. Per email today.

Indeed that is now deprecated. Please use MQTT directly, don't forget to use SNI in the TLS settings, and wire the output through a JSON function node. That's it!

I'll file a new issue for this.