[BUG] npm audit fix doesn't work

[kleinfreund]

Is there an existing issue for this?

• [X] I have searched the existing issues

Current Behavior

In my project, when running npm audit, one of the reported vulnerable packages is listed with the message “fix available via npm audit fix”, but running npm audit fix doesn’t lead to any updated packages and the exact same output as from the earlier run of npm audit is logged.

This occurs on https://github.com/kleinfreund/vue-accessible-color-picker/commit/35bec0e751abad872de79657053cb8de07321faa.

Which dependency from my package.json file is actually the vulnerable one I cannot tell with the new output of npm audit in npm 7. This is what the output looks like:

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix`
node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/css-select
    svgo  1.0.0 - 2.3.0
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo

Expected Behavior

When seeing a message with the clear instruction “fix available via npm audit fix”, I expect this to be truthful and npm audit fix to always produce a changed package-lock.json file.

Steps To Reproduce

1. Run git clone https://github.com/kleinfreund/vue-accessible-color-picker.git
2. Run git checkout 35bec0e751abad872de79657053cb8de07321faa to checkout the commit on the project’s main branch at the time of writing this.
3. Run npm install
4. Run npm audit. ~Observe how currently this includes an entry with the message “fix available via npm audit fix”.~ For this particular advisory, this is no longer the case, unfortunately.
5. Run npm audit fix

Environment

• OS: Ubuntu 20.04
• Node: v14.17.1
• npm: 7.19.0

[Trickfilm400]

Same issue here in my project (https://github.com/trickfilm400/vantage-node), Troubleshooting steps tried:

• deleting package-lock.json
• deleting node_modules/ folder

this did not helped in any way

Environment:

• Windows 10
• npm 7.19.0
• node v14.17.0

Screenshot of console output for more information if needed

[chase-moskal]

i'm having the same problem in my project https://github.com/chase-moskal/xiome

[Rationum]

Encountering the exact same issue. Enviroment: Windows: 10 Node: 16.9.1 NPM: 7.24.2

[jeffreywdonahue]

Same issue, I ran the suggested force and I don't get better results. Do we need to manually add the updates for each package?

[tyukesz]

I have the same issue. I attach a screenshot, but there are lot more vuln packages than these 2, which cannot be "fixed".

[cpolanish]

I'm seeing the same thing on numerous packages as well Win 11 Node 14.16.0 npm 7.6.3

[frudolph77]

Issue also exist in

$ node --version
v16.13.0
$ npm --version
8.1.0

[petera703]

Same issue here, getting worse and worse each time I run npm audit fix --force! :(

G:\>node --version v16.13.0 G:\>npm --version 8.1.4

Started with:

1 moderate severity vulnerability To address all issues, run: npm audit fix

But after running npm audit fix --force, it then said 27 vulnerabilities (16 moderate, 9 high, 2 critical)

And after running npm audit fix --force again, it said 53 vulnerabilities (12 low, 23 moderate, 16 high, 2 critical)

One time it said 66 vulnerabilities (54 moderate, 11 high, 1 critical), and after that I left it running in a loop (for /L %i in (1,1,50) do npm audit fix --force) which alternated between 27 and 53 vulnerabilities till I killed it.

I'm now attaching all output from the above, which shows the modules it was reporting.

_tmp.txt

[RienBijl]

Is there any hope of this issue being resolved?

[marte3707]

same problem here.

Npm 8.1.4 Node 17.1.0 WIndows 11

[aubreyyan]

+1, npm audit fix worsens the issue(s), and downgrades packages

[JakeIwen]

I resolved this by removing "npm": "^8.1.3", from the package.json dependencies. and then npm i && npm audit fix No idea why it was there to begin with.

As an experiment I added "npm": "^8.2.0", to the dependencies and the vulnerabilities returned with npm i && npm audit fix.

I suggest upgrading to the latest npm (if possible) and searching your package.json AND package-lock.json for "npm": "^

Environment: node: 14.18.1 npm: 8.2.0 (latest as of today)

@kleinfreund I noticed your package-lock.json has "npm": "^7.0.0", as a dependency of "@semantic-release/npm": "^8.0.3"

[inf3rnus]

Same problem... This is a significant problem.

My environment:

Ubuntu 18.04 NPM 8.3.0 Node v16.13.1

[aubreyyan]

I resolved this by removing "npm": "^8.1.3", from the package.json dependencies. and then npm i && npm audit fix No idea why it was there to begin with.

As an experiment I added "npm": "^8.2.0", to the dependencies and the vulnerabilities returned with npm i && npm audit fix.

I suggest upgrading to the latest npm (if possible) and searching your package.json AND package-lock.json for "npm": "^

Environment: node: 14.18.1 npm: 8.2.0 (latest as of today)

@kleinfreund I noticed your package-lock.json has "npm": "^7.0.0", as a dependency of "@semantic-release/npm": "^8.0.3"

this does not fix the problem for me, I didn't have "npm": "^ in my package.json

[andrewtannernumiko]

Same problem for me.

MacOS 11.6 NPM 8.1.2 Node 16.13.2

[VasilisTako]

Same problem here:

MacOS 12.1 Node v16.13.1 NPM 8.3.0

[AlexandreLage]

Same

[net-tech]

same

[lprekon]

Same

[raffaeltavares]

Same

[mytechnotalent]

Same

[mytechnotalent]

Same

[GhostGlitch]

Windows 10 Node v16.13.2 NPM v8.4.0

[mytechnotalent]

MacOS Node v16.13.2 NPM v8.1.2

[thucngyyen]

Same issue:

Ubuntu 20.04 Node v16.13.2 NPM 8.3.2

[the-homeless-god]

Same issue:

Mac OS Node v16.3.0 NPM v8.1.0

[johanneswuerbach]

Please upvote 👍 the issue instead of a just commenting on it as a comment notifies everyone waiting for a resolution here and doesn't really add value. (Yes, everyone knows that it is broken across all versions right now.)

[Joydeep-Kundu]

same issue: windows 10 node v16.13.2 npm 8.3.0

[cionz0]

Same issue. macOS Big Sur 11.6.3 node v16.13.1 npm 8.5.0

Tried by:

• deleting package-lock.json
• deleting node_modules folder
• running ncu -u
• running npm update
• and finally running again npm install

It didn't solve the problem.

[tylerlazenby]

Running into this issue here on Windows 11 running NPM 8.1.2.

[DonnieTD]

Same issue here

[MeerMusik]

Hello. I have the same Issue:

• Windows: 10, 21H2, 19044.1586, x64
• Node Version: 17.8.0, x64
• NPM Version: 8.5.5, x64

I have tried all the potential work-arounds I have found listed throughout the Web like removing Package-lock.json and the node_modules Directory, deleting the NPM Cache with --force etc. As a total beginner who just started with NPM, this is a very bad experience so far. Nonetheless, thank you everyone working on this Project and also for fixing this as soon as possible :)

StaySafeStayHealthyEveryone

[CalabazaArdiente]

Same issue trying to run npm install expo-cli

[AliAMQ]

Again, please just upvote the issue if you have nothing new to share. This is critical and everybody here is waiting for a fix. Adding more comments with no helpful update just makes the new visitors go through a longer thread and see no values.

[Z3TA]

@AliAMQ how do you "upvote" ?

[kleinfreund]

@Z3TA For the purpose of reacting to an issue (e.g. up-voting it), you can find the reaction section at the bottom of the very first post in an issue.

[Z3TA]

When I search for "npm audit" in the Issues, this issue is on page 2 with 104 "thumbs up", while the issue ranked above it only has 3 "thumbs up". It's however possible to sort by emoji... So the convention to "upvote" is to use the thumbs up reaction on the first post ? @kleinfreund @AliAMQ

[kleinfreund]

@Z3TA Yes, that is a convention. It signals the degree of interest in an issue (e.g. here, many people signal that they experience the same issue) and it also allows issues being sorted by such measures.

Reacting to a message does not trigger in-website or email notifications and is therefore not disrupting anyone. Commenting on an issue however is disruptive and should only be done when there is, for example, new information to contribute. Writing “Same” is not new information because it is already well established that a great number of people experience this issue. This fact is very easy to observe, too, because among other signals, the first post (i.e. the bug report in this case) has all these thumbs up reactions. Everyone who is subscribed to an issue will get notified whenever someone writes “Same”. In the case of this issue, that’s at least 37 people. For what? It doesn’t do anything good. No new information was gained and people get an avoidable notification. Not cool.

[gagan-bansal]

Same issue here, any update on this issue? node.js - v14.17.0 npm - 8.7.0 ubuntu - 18.04.6

[cjdevito11]

Same issue, has this been solved yet?

[laurynnlowe]

same issue

[nickeeromo]

Please upvote the issue if you believe there should be a resolution.

I just wanted to ask because it's not obvious to me in these posts, but is there a version/combo of npm and/or node that I would need to downgrade to where npm audit fix would actually do what it was intended to do? Or, is there a separate package resolver that is more up-to-date and could be recommended for this specific operation?

I'm preparing a demo on resolving package vulnerabilities and it would be great if I could show them npm audit fix (or an alternative) vs. manually updating packages, which would be a nightmare in any standard Angular application.

[thijsdaniels]

@JakeIwen I tried your solution, but it didn't change anything for me.

I'm also using semantic-release and therefore had a local npm installation in my node_modules, so I completely removed semantic-release, clean installed my dependencies, double checked that npm was no longer in the node_modules and ran npm audit fix.

The result was the same as before: NPM mentioned some vulnerabilities with available fixes, and that running npm audit fix would resolve the vulnerabilities, but no changes were made to the package-lock.json file, and re-running npm audit fix mentioned the exact same vulnerabilities and available fixes.

Node.js v16.15.0 and NPM v8.5.5 on Ubuntu 20.04.1 via WSL on Windows 11

[ThePiyushAggarwal]

Whatever messages I received. I followed them manually.

Like

npm i -g reactscripts@latest

I did this for every package that was deprecated and at the end it was better

[nickeeromo]

Please upvote the issue if you believe there should be a resolution.

I just wanted to ask because it's not obvious to me in these posts, but is there a version/combo of npm and/or node that I would need to downgrade to where npm audit fix would actually do what it was intended to do? Or, is there a separate package resolver that is more up-to-date and could be recommended for this specific operation?

I'm preparing a demo on resolving package vulnerabilities and it would be great if I could show them npm audit fix (or an alternative) vs. manually updating packages, which would be a nightmare in any standard Angular application.

I originally was using npm 8 and as my experience was the same as others here, I decided to downgrade (even though I didn't realize OP was using npm 7).

Ran npm i npm@7 which gave me npm 7.24.2, and for reference I am on node 14.17.4.

Deleted node_modules altogether and the package-lock.json to start fresh. Then I had to run npm cache clean --force for a specific issue.

After that, npm audit fix seems to be working fine for me. Can someone else please confirm this is at least some workaround for the issue with npm 8's npm audit fix at the moment? Just thought it was strange since OP was on npm version 7.19.0.

[kleinfreund]

@nickeeromo Personally, I had this issue ever since I reported it (and in fact quite a while before that). I certainly had it on clean repositories (i.e. freshly cloned) and even on fresh npm installations.

[Thomas-1985]

Same here node.js - v14.18.3 npm - 8.12.1 MacOS - 12.3.1

[ssurana2]

Facing the same issue

node.js - v16.14.2 npm - 8.5.0 MacOS - 12.3.1

[AlexZajork]

Same issue. node.js -16.15.1 npm - 8.11.0 ubuntu - 22.04

[Thomas-1985]

I tried what nickeeromo proposed, but even after downgrading to npm v.7.24 i have the same problem