npm / cli

the package manager for JavaScript
https://docs.npmjs.com/cli/
Other
8.48k stars 3.17k forks source link

[BUG] npm audit fix doesn't work #3472

Closed kleinfreund closed 1 year ago

kleinfreund commented 3 years ago

Is there an existing issue for this?

Current Behavior

In my project, when running npm audit, one of the reported vulnerable packages is listed with the message “fix available via npm audit fix”, but running npm audit fix doesn’t lead to any updated packages and the exact same output as from the earlier run of npm audit is logged.

This occurs on https://github.com/kleinfreund/vue-accessible-color-picker/commit/35bec0e751abad872de79657053cb8de07321faa.

Which dependency from my package.json file is actually the vulnerable one I cannot tell with the new output of npm audit in npm 7. This is what the output looks like:

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix`
node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/css-select
    svgo  1.0.0 - 2.3.0
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo

Expected Behavior

When seeing a message with the clear instruction “fix available via npm audit fix”, I expect this to be truthful and npm audit fix to always produce a changed package-lock.json file.

Steps To Reproduce

  1. Run git clone https://github.com/kleinfreund/vue-accessible-color-picker.git
  2. Run git checkout 35bec0e751abad872de79657053cb8de07321faa to checkout the commit on the project’s main branch at the time of writing this.
  3. Run npm install
  4. Run npm audit. ~Observe how currently this includes an entry with the message “fix available via npm audit fix”.~ For this particular advisory, this is no longer the case, unfortunately.
  5. Run npm audit fix

Environment

Trickfilm400 commented 3 years ago

Same issue here in my project (https://github.com/trickfilm400/vantage-node), Troubleshooting steps tried:

this did not helped in any way

Environment:

image Screenshot of console output for more information if needed

chase-moskal commented 3 years ago

i'm having the same problem in my project https://github.com/chase-moskal/xiome

Rationum commented 3 years ago

Encountering the exact same issue. Enviroment: Windows: 10 Node: 16.9.1 NPM: 7.24.2

jeffreywdonahue commented 3 years ago

Same issue, I ran the suggested force and I don't get better results. Do we need to manually add the updates for each package?

tyukesz commented 3 years ago

I have the same issue. I attach a screenshot, but there are lot more vuln packages than these 2, which cannot be "fixed".

Screenshot 2021-11-03 at 09 57 35

cpolanish commented 3 years ago

I'm seeing the same thing on numerous packages as well Win 11 Node 14.16.0 npm 7.6.3

image

frudolph77 commented 2 years ago

Issue also exist in

$ node --version
v16.13.0
$ npm --version
8.1.0
petera703 commented 2 years ago

Same issue here, getting worse and worse each time I run npm audit fix --force! :(

G:\>node --version v16.13.0 G:\>npm --version 8.1.4

Started with:

1 moderate severity vulnerability To address all issues, run: npm audit fix

But after running npm audit fix --force, it then said 27 vulnerabilities (16 moderate, 9 high, 2 critical)

And after running npm audit fix --force again, it said 53 vulnerabilities (12 low, 23 moderate, 16 high, 2 critical)

One time it said 66 vulnerabilities (54 moderate, 11 high, 1 critical), and after that I left it running in a loop (for /L %i in (1,1,50) do npm audit fix --force) which alternated between 27 and 53 vulnerabilities till I killed it.

I'm now attaching all output from the above, which shows the modules it was reporting.

_tmp.txt

RienBijl commented 2 years ago

Is there any hope of this issue being resolved?

marte3707 commented 2 years ago

same problem here.

Npm 8.1.4 Node 17.1.0 WIndows 11

aubreyyan commented 2 years ago

+1, npm audit fix worsens the issue(s), and downgrades packages

JakeIwen commented 2 years ago

I resolved this by removing "npm": "^8.1.3", from the package.json dependencies. and then npm i && npm audit fix No idea why it was there to begin with.

As an experiment I added "npm": "^8.2.0", to the dependencies and the vulnerabilities returned with npm i && npm audit fix.

I suggest upgrading to the latest npm (if possible) and searching your package.json AND package-lock.json for "npm": "^

Environment: node: 14.18.1 npm: 8.2.0 (latest as of today)

@kleinfreund I noticed your package-lock.json has "npm": "^7.0.0", as a dependency of "@semantic-release/npm": "^8.0.3"

inf3rnus commented 2 years ago

Same problem... This is a significant problem.

My environment:

Ubuntu 18.04 NPM 8.3.0 Node v16.13.1

aubreyyan commented 2 years ago

I resolved this by removing "npm": "^8.1.3", from the package.json dependencies. and then npm i && npm audit fix No idea why it was there to begin with.

As an experiment I added "npm": "^8.2.0", to the dependencies and the vulnerabilities returned with npm i && npm audit fix.

I suggest upgrading to the latest npm (if possible) and searching your package.json AND package-lock.json for "npm": "^

Environment: node: 14.18.1 npm: 8.2.0 (latest as of today)

@kleinfreund I noticed your package-lock.json has "npm": "^7.0.0", as a dependency of "@semantic-release/npm": "^8.0.3"

this does not fix the problem for me, I didn't have "npm": "^ in my package.json

andrewtannernumiko commented 2 years ago

Same problem for me.

MacOS 11.6 NPM 8.1.2 Node 16.13.2

VasilisTako commented 2 years ago

Same problem here:

MacOS 12.1 Node v16.13.1 NPM 8.3.0

AlexandreLage commented 2 years ago

Same

net-tech commented 2 years ago

same

lprekon commented 2 years ago

Same

raffaeltavares commented 2 years ago

Same

mytechnotalent commented 2 years ago

Same

mytechnotalent commented 2 years ago

Same

GhostGlitch commented 2 years ago

Windows 10 Node v16.13.2 NPM v8.4.0

mytechnotalent commented 2 years ago

MacOS Node v16.13.2 NPM v8.1.2

thucngyyen commented 2 years ago

Same issue:

Ubuntu 20.04 Node v16.13.2 NPM 8.3.2

the-homeless-god commented 2 years ago

Same issue:

Mac OS Node v16.3.0 NPM v8.1.0

johanneswuerbach commented 2 years ago

Please upvote 👍 the issue instead of a just commenting on it as a comment notifies everyone waiting for a resolution here and doesn't really add value. (Yes, everyone knows that it is broken across all versions right now.)

Joydeep-Kundu commented 2 years ago

same issue: windows 10 node v16.13.2 npm 8.3.0

cionz0 commented 2 years ago

Same issue. macOS Big Sur 11.6.3 node v16.13.1 npm 8.5.0

Tried by:

It didn't solve the problem.

tylerlazenby commented 2 years ago

Running into this issue here on Windows 11 running NPM 8.1.2.

DonnieTD commented 2 years ago

Same issue here

MeerMusik commented 2 years ago

Hello. I have the same Issue:

I have tried all the potential work-arounds I have found listed throughout the Web like removing Package-lock.json and the node_modules Directory, deleting the NPM Cache with --force etc. As a total beginner who just started with NPM, this is a very bad experience so far. Nonetheless, thank you everyone working on this Project and also for fixing this as soon as possible :)

StaySafeStayHealthyEveryone

CalabazaArdiente commented 2 years ago

Same issue trying to run npm install expo-cli

AliAMQ commented 2 years ago

Again, please just upvote the issue if you have nothing new to share. This is critical and everybody here is waiting for a fix. Adding more comments with no helpful update just makes the new visitors go through a longer thread and see no values.

Z3TA commented 2 years ago

@AliAMQ how do you "upvote" ?

kleinfreund commented 2 years ago

@Z3TA For the purpose of reacting to an issue (e.g. up-voting it), you can find the reaction section at the bottom of the very first post in an issue.

Z3TA commented 2 years ago

When I search for "npm audit" in the Issues, this issue is on page 2 with 104 "thumbs up", while the issue ranked above it only has 3 "thumbs up". It's however possible to sort by emoji... So the convention to "upvote" is to use the thumbs up reaction on the first post ? @kleinfreund @AliAMQ

kleinfreund commented 2 years ago

@Z3TA Yes, that is a convention. It signals the degree of interest in an issue (e.g. here, many people signal that they experience the same issue) and it also allows issues being sorted by such measures.

Reacting to a message does not trigger in-website or email notifications and is therefore not disrupting anyone. Commenting on an issue however is disruptive and should only be done when there is, for example, new information to contribute. Writing “Same” is not new information because it is already well established that a great number of people experience this issue. This fact is very easy to observe, too, because among other signals, the first post (i.e. the bug report in this case) has all these thumbs up reactions. Everyone who is subscribed to an issue will get notified whenever someone writes “Same”. In the case of this issue, that’s at least 37 people. For what? It doesn’t do anything good. No new information was gained and people get an avoidable notification. Not cool.

gagan-bansal commented 2 years ago

Same issue here, any update on this issue? node.js - v14.17.0 npm - 8.7.0 ubuntu - 18.04.6

cjdevito11 commented 2 years ago

Same issue, has this been solved yet?

laurynnlowe commented 2 years ago

same issue

nickeeromo commented 2 years ago

Please upvote the issue if you believe there should be a resolution.

I just wanted to ask because it's not obvious to me in these posts, but is there a version/combo of npm and/or node that I would need to downgrade to where npm audit fix would actually do what it was intended to do? Or, is there a separate package resolver that is more up-to-date and could be recommended for this specific operation?

I'm preparing a demo on resolving package vulnerabilities and it would be great if I could show them npm audit fix (or an alternative) vs. manually updating packages, which would be a nightmare in any standard Angular application.

thijsdaniels commented 2 years ago

@JakeIwen I tried your solution, but it didn't change anything for me.

I'm also using semantic-release and therefore had a local npm installation in my node_modules, so I completely removed semantic-release, clean installed my dependencies, double checked that npm was no longer in the node_modules and ran npm audit fix.

The result was the same as before: NPM mentioned some vulnerabilities with available fixes, and that running npm audit fix would resolve the vulnerabilities, but no changes were made to the package-lock.json file, and re-running npm audit fix mentioned the exact same vulnerabilities and available fixes.

Node.js v16.15.0 and NPM v8.5.5 on Ubuntu 20.04.1 via WSL on Windows 11

ThePiyushAggarwal commented 2 years ago

Whatever messages I received. I followed them manually.

Like

npm i -g reactscripts@latest

I did this for every package that was deprecated and at the end it was better

nickeeromo commented 2 years ago

Please upvote the issue if you believe there should be a resolution.

I just wanted to ask because it's not obvious to me in these posts, but is there a version/combo of npm and/or node that I would need to downgrade to where npm audit fix would actually do what it was intended to do? Or, is there a separate package resolver that is more up-to-date and could be recommended for this specific operation?

I'm preparing a demo on resolving package vulnerabilities and it would be great if I could show them npm audit fix (or an alternative) vs. manually updating packages, which would be a nightmare in any standard Angular application.

I originally was using npm 8 and as my experience was the same as others here, I decided to downgrade (even though I didn't realize OP was using npm 7).

Ran npm i npm@7 which gave me npm 7.24.2, and for reference I am on node 14.17.4.

Deleted node_modules altogether and the package-lock.json to start fresh. Then I had to run npm cache clean --force for a specific issue.

After that, npm audit fix seems to be working fine for me. Can someone else please confirm this is at least some workaround for the issue with npm 8's npm audit fix at the moment? Just thought it was strange since OP was on npm version 7.19.0.

kleinfreund commented 2 years ago

@nickeeromo Personally, I had this issue ever since I reported it (and in fact quite a while before that). I certainly had it on clean repositories (i.e. freshly cloned) and even on fresh npm installations.

Thomas-1985 commented 2 years ago

Same here node.js - v14.18.3 npm - 8.12.1 MacOS - 12.3.1

ssurana2 commented 2 years ago

Facing the same issue

node.js - v16.14.2 npm - 8.5.0 MacOS - 12.3.1

AlexZajork commented 2 years ago

Same issue. node.js -16.15.1 npm - 8.11.0 ubuntu - 22.04

Thomas-1985 commented 2 years ago

I tried what nickeeromo proposed, but even after downgrading to npm v.7.24 i have the same problem