[BUG] npm audit fix doesn't work

[kleinfreund]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

In my project, when running npm audit, one of the reported vulnerable packages is listed with the message “fix available via npm audit fix”, but running npm audit fix doesn’t lead to any updated packages and the exact same output as from the earlier run of npm audit is logged.

This occurs on kleinfreund/vue-accessible-color-picker@35bec0e.

Which dependency from my package.json file is actually the vulnerable one I cannot tell with the new output of npm audit in npm 7. This is what the output looks like:

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix`
node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/css-select
    svgo  1.0.0 - 2.3.0
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo

Expected Behavior

When seeing a message with the clear instruction “fix available via npm audit fix”, I expect this to be truthful and npm audit fix to always produce a changed package-lock.json file.

Steps To Reproduce

1. Run git clone https://github.com/kleinfreund/vue-accessible-color-picker.git
2. Run git checkout 35bec0e751abad872de79657053cb8de07321faa to checkout the commit on the project’s main branch at the time of writing this.
3. Run npm install
4. Run npm audit. Observe how currently this includes an entry with the message “fix available via npm audit fix”. For this particular advisory, this is no longer the case, unfortunately.
5. Run npm audit fix

Environment

• OS: Ubuntu 20.04
• Node: v14.17.1
• npm: 7.19.0

[Trickfilm400]

Same issue here in my project (https://github.com/trickfilm400/vantage-node),
Troubleshooting steps tried:

• deleting package-lock.json
• deleting node_modules/ folder

this did not helped in any way

Environment:

• Windows 10
• npm 7.19.0
• node v14.17.0

Screenshot of console output for more information if needed

[chase-moskal]

i'm having the same problem in my project https://github.com/chase-moskal/xiome

[Rationum]

Encountering the exact same issue.
Enviroment:
Windows: 10
Node: 16.9.1
NPM: 7.24.2

[jeffreywdonahue]

Same issue, I ran the suggested force and I don't get better results. Do we need to manually add the updates for each package?

[tyukesz]

I have the same issue. I attach a screenshot, but there are lot more vuln packages than these 2, which cannot be "fixed".

[cpolanish]

I'm seeing the same thing on numerous packages as well
Win 11
Node 14.16.0
npm 7.6.3

[frudolph77]

Issue also exist in

$ node --version
v16.13.0
$ npm --version
8.1.0

[petera703]

Same issue here, getting worse and worse each time I run npm audit fix --force! :(

G:\>node --version v16.13.0 G:\>npm --version 8.1.4

Started with:

1 moderate severity vulnerability To address all issues, run: npm audit fix

But after running npm audit fix --force, it then said 27 vulnerabilities (16 moderate, 9 high, 2 critical)

And after running npm audit fix --force again, it said 53 vulnerabilities (12 low, 23 moderate, 16 high, 2 critical)

One time it said 66 vulnerabilities (54 moderate, 11 high, 1 critical), and after that I left it running in a loop (for /L %i in (1,1,50) do npm audit fix --force) which alternated between 27 and 53 vulnerabilities till I killed it.

I'm now attaching all output from the above, which shows the modules it was reporting.

_tmp.txt

[RienBijl]

Is there any hope of this issue being resolved?

[marte3707]

same problem here.

Npm 8.1.4
Node 17.1.0
WIndows 11

[aubreyyan]

+1, npm audit fix worsens the issue(s), and downgrades packages

[JakeIwen]

I resolved this by removing "npm": "^8.1.3", from the package.json dependencies.
and then npm i && npm audit fix
No idea why it was there to begin with.

As an experiment I added "npm": "^8.2.0", to the dependencies and the vulnerabilities returned with npm i && npm audit fix.

I suggest upgrading to the latest npm (if possible) and searching your package.json AND package-lock.json for "npm": "^

Environment:
node: 14.18.1
npm: 8.2.0 (latest as of today)

@kleinfreund I noticed your package-lock.json has "npm": "^7.0.0", as a dependency of "@semantic-release/npm": "^8.0.3"

[inf3rnus]

Same problem... This is a significant problem.

My environment:

Ubuntu 18.04
NPM 8.3.0
Node v16.13.1

[aubreyyan]

I resolved this by removing "npm": "^8.1.3", from the package.json dependencies. and then npm i && npm audit fix No idea why it was there to begin with.

As an experiment I added "npm": "^8.2.0", to the dependencies and the vulnerabilities returned with npm i && npm audit fix.

I suggest upgrading to the latest npm (if possible) and searching your package.json AND package-lock.json for "npm": "^

Environment: node: 14.18.1 npm: 8.2.0 (latest as of today)

@kleinfreund I noticed your package-lock.json has "npm": "^7.0.0", as a dependency of "@semantic-release/npm": "^8.0.3"

this does not fix the problem for me, I didn't have "npm": "^ in my package.json

[andrewtannernumiko]

Same problem for me.

MacOS 11.6
NPM 8.1.2
Node 16.13.2

[VasilisTako]

Same problem here:

MacOS 12.1
Node v16.13.1
NPM 8.3.0

[AlexandreLage]

Same

[net-tech]

same

[lprekon]

Same

[raffaeltavares]

Same

[mytechnotalent]

Same

[mytechnotalent]

Same

[GhostGlitch]

Windows 10
Node v16.13.2
NPM v8.4.0

[mytechnotalent]

MacOS
Node v16.13.2
NPM v8.1.2

[mazwaay]

same issue

npm -v
9.1.1
node -v
v18.12.1

[Dawid-Vardanyan]

Same issue.
npm update changed nothing.

node --version
v18.12.1
npm --version
9.1.2

[gusaaaaa]

Same problem.

node --version
v18.6.0

npm --version
8.13.2

[Underdoge]

same here.
node --version
v16.18.0
npm --version
8.19.2

[kleinfreund]

Closing this issue as there doesn't seem to be an interest in acknowledging or fixing it.

I've stopped using (or trying to use) npm audit fix completely and instead update vulnerable dependencies by hand (completely manual).

[Underdoge]

Closing this issue as there doesn't seem to be an interest in acknowledging or fixing it.

I've stopped using (or trying to use) npm audit fix completely and instead update vulnerable dependencies by hand (completely manual).

same here. was forced to use the "overrides" section of packages.json to force the fixes.

[dominikj111]

It does work, just not for all packages. It would be handy to get some feedback from some developer's investigation, so we can all know what to do to get rid of the vulnerabilities.
Maybe the problem is on the vendors packages side?

For an example, mine npm audit fix fixed the critical issue with loader-utils 2.0.0 - 2.0.3, but it didn't solve the problems with d3-color <3.1.0.

Maybe do not mention "fix available via npm audit fix" if it is not truth.

[juanjcardona13]

Same problem here:

Ubuntu 20.04.5
Node v18.12.1
NPM 9.2.0

[dreaddymck]

Having the same issue.

Windows 11/WSL2
Ubuntu: 22.04.1 LT
Node: v19.3.0
npm: 9.2.0

Related to:

json5  <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h

Some details

Two different projects on the same machine.
npm audit fix --force the recommendation for the project that resulted in a success. (hosted on gitub.com)
npm audit fix the recommendation for the project that fails. (hosted on bitbucket.com)

Regarding npm audit fix and the project that failed.
package.json and package-lock.json shows "json5": "^2.2.2" which is the latest as of posting and the proposed solution, however npm audit report still displays

json5  <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/xml-loader/node_modules/json5
  loader-utils  <=1.4.2
  Depends on vulnerable versions of json5
  node_modules/xml-loader/node_modules/loader-utils
    xml-loader  >=1.1.0
    Depends on vulnerable versions of loader-utils
    node_modules/xml-loader

3 high severity vulnerabilities

To address all issues, run:
  npm audit fix

npm update <package name> does not appear to change anything

[Shahard2]

npm update

did you solve this eventually?

[dreaddymck]

did you solve this eventually?

Yes. In this case the WSL instance could not make changes since the files were hosted in a windows directory.

The solution at the time was to move the project into the Ubuntu environment.

[llaricci]

was having this issue. 'npm rebuild' ended up solving it for me..

[CollinsMunene]

If still experiencing this issue, try this

$ npm install -g npm-check-updates
$ ncu -u
$ npm install
$ npm audit fix --force

[Astarosa]

This issue is known for years and it looks like there is no desire to fix it...
But for security purpose it would be appreciated

[panyann]

If no one wants to fix it and it's broken than why we are "officially" being recommended to use it in the console?

To address issues that do not require attention, run:
npm audit fix

Remove that misleading note and developers will (at least partially) stop wasting their time...

[AswillHatter]

I just install new react project and already have this annoying message about vulnerabilities. It's unbearable

[costa100]

I have the same issue (windows 2016 server)

>npm audit fix

up to date, audited 207 packages in 882ms

28 packages are looking for funding
  run `npm fund` for details

# npm audit report

word-wrap  *
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
  optionator  0.8.3 - 0.9.1
  Depends on vulnerable versions of word-wrap
  node_modules/optionator

2 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix

[CSI-Cody-Pace]

If still experiencing this issue, try this

$ npm install -g npm-check-updates $ ncu -u $ npm install $ npm audit fix --force

Tried this issue, but it just undid the ncu updates and downgraded everything.

[monthviewsales]

If still experiencing this issue, try this

$ npm install -g npm-check-updates $ ncu -u $ npm install $ npm audit fix --force

This kind of worked for me. A few were still hanging on so I had to cd into the actual package's directory and then run ncu to get them to update.

[evil-shrike]

what's the point in closing the bug if it's not fixed? I can't understand this. The npm's behaviour is really misleading, the command can't fix anything but keeps suggesting it, removing package-lock doesn't help at all. It seems to be a completely broken feature. Please remove it

[kleinfreund]

what's the point in closing the bug if it's not fixed? I can't understand this.

I understand that this is a frustrating state of npm to be in, but I don’t see how keeping this issue open helps anyone. I opened it well over two years ago and it was for the longest time the most upvoted open issue in npm/cli by far. I explained why I closed it, too. Note that the issue wasn’t closed by npm, but by me as the one who reported it initially.

npm can open it again at any time and signal if they have any intention of addressing it.

[evil-shrike]

yes, but honestly it doesn't seem to be a valid reason. it's up to you indeed as you're the topic started. but closed issues never get any attention.

[niikoo]

I have the same issue with the ip package. npm audit fix did not fix it, but installing the package and updating it manually helped.

[Astarosa]

I have the same issue with the ip package. npm audit fix did not fix it, but installing the package and updating it manually helped.

That's why you should use npm-check-updates. It's a CLI tool that helps you to manage your packages ugrades

[dandv]

Before trying to fix anything, npm audit should at least tell you which of your packages depends on the vulnerable one(s).

[Jhonmacc]

Aqui está o que você pode fazer para atualizar o react-scripts:

Atualizar o react-scripts para a versão mais recente: Execute o comando abaixo para atualizar o pacote:

npm install react-scripts@latest
Isso vai atualizar o react-scripts para a versão 5.0.1 (ou a versão mais recente).

Verificar novamente: Após a atualização, você pode executar o comando npm outdated novamente para garantir que a atualização foi bem-sucedida.

Verificar se há outras dependências desatualizadas: Se houver mais pacotes desatualizados, você pode seguir o mesmo procedimento para atualizá-los. Use o comando:

npm update
Isso atualizará todas as dependências para a versão mais recente compatível, conforme definido no seu package.json.

Testar o projeto: Após atualizar o react-scripts, execute o seu projeto para verificar se tudo continua funcionando corretamente:

npm start
Esse procedimento deve corrigir as vulnerabilidades associadas à versão desatualizada do react-scripts.