Help please!

[BitcoinBrendo]

Hello!

I've just signed up to Github to ask this question, hoping someone can help...
I'm going through the motions of setting up my node through Ubuntu, setting up RTL and when I do the 'npm install --only=prod --legacy-peers-deps' command I get:

**_bitcoinbrendo@nodebox:~/RTL$ npm install --only=prod --legacy-peer-deps
npm WARN config only Use --omit=dev to omit dev dependencies from the install.

up to date, audited 325 packages in 2s

24 packages are looking for funding
run npm fund for details

6 high severity vulnerabilities

To address issues that do not require attention, run:
npm audit fix

To address all issues (including breaking changes), run:
npm audit fix --force

Run npm audit for details._**

And when I npm audit fix or --force I get this:

**_bitcoinbrendo@nodebox:~/RTL$ npm audit fix
npm WARN deprecated source-map-resolve@0.6.0: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see request/request#3142
npm WARN deprecated protractor@7.0.0: We have news to share - Protractor is deprecated and will reach end-of-life by Summer 2023. To learn more and find out about other options please refer to this post on the Angular blog. Thank you for using and contributing to Protractor. https://goo.gle/state-of-e2e-in-angular
npm WARN deprecated core-js@3.20.3: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

added 1124 packages, and audited 1449 packages in 24s

151 packages are looking for funding
run npm fund for details

npm audit report

d3-color <3.1.0
Severity: high
d3-color vulnerable to ReDoS - GHSA-36jr-mh4h-2g58
fix available via npm audit fix --force
Will install @swimlane/ngx-charts@6.1.0, which is a breaking change
node_modules/d3-color
@swimlane/ngx-charts >=7.0.0
Depends on vulnerable versions of d3-brush
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-scale
Depends on vulnerable versions of d3-transition
node_modules/@swimlane/ngx-charts
d3-interpolate 0.1.3 - 2.0.1
Depends on vulnerable versions of d3-color
node_modules/d3-interpolate
d3-brush 0.1.0 - 2.1.0
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-transition
node_modules/d3-brush
d3-scale 0.1.5 - 3.3.0
Depends on vulnerable versions of d3-interpolate
node_modules/d3-scale
d3-transition 0.0.7 - 2.0.0
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
node_modules/d3-transition

6 high severity vulnerabilities

To address issues that do not require attention, run:
npm audit fix

To address all issues (including breaking changes), run:
npm audit fix --force
bitcoinbrendo@nodebox:~/RTL$_**

Does any wizard know what I've done wrong, or how to fix these vulnerabilities?
I don't really want to go any further while I'm getting these warnings/.

Appreciate any guidance.

Thanks,
Brendo

[ShahanaFarooqui]

@BitcoinBrendo Firstly we do not recommend our users to run ‘npm audit fix —force’ because we audit and fix these dependencies as much as possible. Second this severity was discovered very recently and D3 is already aware about it. So either they will release the fix soon or we have to replace the whole library.

[BitcoinBrendo]

Ok thanks for the reply!
So I just wait for a bit?

[saubyk]

Hi @BitcoinBrendo if you want to wait for a fix for this vulnerability, it's your choice. Given that this has surfaced recently there is no surety of a quick resolution.