[BUG] npm 7.6.0 audit fix --force recommends running npm audit fix --force (the same command) to fix issues.

[mikemaccana]

Current Behavior:

npm audit fix --force recommends running npm audit fix --force (the same command) to fix issues.

This obviously makes no sense. npm audit fix --force should itself fix the issues reported.

$ npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating evergreen-ui to 5.1.2,which is a SemVer major change.

added 2 packages, removed 4 packages, changed 5 packages, and audited 2749 packages in 7s

105 packages are looking for funding
  run `npm fund` for details

# npm audit report

node-fetch  <=2.6.0 || 3.0.0-beta.1 - 3.0.0-beta.8
Denial of Service - https://npmjs.com/advisories/1556
fix available via `npm audit fix --force`
Will install evergreen-ui@2.0.1, which is a breaking change
node_modules/glamor/node_modules/node-fetch
node_modules/react-event-listener/node_modules/node-fetch
  isomorphic-fetch  2.0.0 - 2.2.1
  Depends on vulnerable versions of node-fetch
  node_modules/glamor/node_modules/isomorphic-fetch
  node_modules/react-event-listener/node_modules/isomorphic-fetch
    fbjs  0.7.0 - 1.0.0
    Depends on vulnerable versions of isomorphic-fetch
    node_modules/glamor/node_modules/fbjs
    node_modules/react-event-listener/node_modules/fbjs
      glamor  >=2.17.10
      Depends on vulnerable versions of fbjs
      node_modules/glamor
        evergreen-ui  *
        Depends on vulnerable versions of glamor
        Depends on vulnerable versions of react-scrollbar-size
        node_modules/evergreen-ui
      react-event-listener  0.2.0 - 0.3.0 || 0.4.4 - 0.5.10
      Depends on vulnerable versions of fbjs
      node_modules/react-event-listener
        react-scrollbar-size  1.0.0 - 2.1.0
        Depends on vulnerable versions of react-event-listener
        node_modules/react-scrollbar-size

7 low severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Expected Behavior:

npm fix ---force should resolve the issues by updating dependencies.

Steps To Reproduce:

Detail above might be enough, but ifnot, LMK and I'll produce a redacted package.json

Environment:

• OS: Ubuntu 20.04
• Node: v14.15.1
• npm: 7.6.0

[sasidhar]

I am also facing same issue with the command npm audit fix. When I run this command I am asked to run the same command to fix the issues.

Environment:

• OS: MacOS Catalina Version 10.15.7
• Node: v14.16.0
• NPM: 7.6.3

[darcyclarke]

@mikemaccana :wave: can you shoot over the redacted package.json to help us figure out what's going on? Apologize for the delay triage but appreciate you bringing this up.

[fritzy]

A reproducible version of this issue is in #5046 with a helpful discussion.

[Startouf]

FYI, the bug is still present in npm 9/Node 18

• npm 9.6.1
• node v18.12.1

(I am getting alternative upgrades and downgrades similar to (if not exactly the same problem as) https://github.com/npm/cli/issues/5046)

I have been running into this issue while trying to fix the webpack/OpenSSL bug by running npm audit fix in this repo using react scripts : https://github.com/nexmo-se/video-express-react-app

[Dreistein75]

Hi there, is there any news on this bug? I would settle for a workaround as well, but getting all these vulnerability warnings on every npm install is kind of annoying....

[ekkis]

I've upgraded to NPM 10.2.0 / Node 21.1.0 and am seeing downgrades of a bunch of packages including gulp as a function of using --force, which I run to try to fix problems with lodash. help?