Closed kleinfreund closed 1 year ago
Same issue here in my project (https://github.com/trickfilm400/vantage-node), Troubleshooting steps tried:
this did not helped in any way
Environment:
Screenshot of console output for more information if needed
i'm having the same problem in my project https://github.com/chase-moskal/xiome
Encountering the exact same issue. Enviroment: Windows: 10 Node: 16.9.1 NPM: 7.24.2
Same issue, I ran the suggested force and I don't get better results. Do we need to manually add the updates for each package?
I have the same issue. I attach a screenshot, but there are lot more vuln packages than these 2, which cannot be "fixed".
I'm seeing the same thing on numerous packages as well Win 11 Node 14.16.0 npm 7.6.3
Issue also exist in
$ node --version
v16.13.0
$ npm --version
8.1.0
Same issue here, getting worse and worse each time I run npm audit fix --force
! :(
G:\>node --version v16.13.0 G:\>npm --version 8.1.4
Started with:
1 moderate severity vulnerability To address all issues, run: npm audit fix
But after running npm audit fix --force
, it then said 27 vulnerabilities (16 moderate, 9 high, 2 critical)
And after running npm audit fix --force
again, it said 53 vulnerabilities (12 low, 23 moderate, 16 high, 2 critical)
One time it said 66 vulnerabilities (54 moderate, 11 high, 1 critical)
, and after that I left it running in a loop (for /L %i in (1,1,50) do npm audit fix --force
) which alternated between 27 and 53 vulnerabilities till I killed it.
I'm now attaching all output from the above, which shows the modules it was reporting.
Is there any hope of this issue being resolved?
same problem here.
Npm 8.1.4 Node 17.1.0 WIndows 11
+1, npm audit fix
worsens the issue(s), and downgrades packages
I resolved this by removing "npm": "^8.1.3",
from the package.json dependencies.
and then npm i && npm audit fix
No idea why it was there to begin with.
As an experiment I added "npm": "^8.2.0",
to the dependencies and the vulnerabilities returned with npm i && npm audit fix
.
I suggest upgrading to the latest npm (if possible) and searching your package.json AND package-lock.json for "npm": "^
Environment: node: 14.18.1 npm: 8.2.0 (latest as of today)
@kleinfreund I noticed your package-lock.json has "npm": "^7.0.0",
as a dependency of "@semantic-release/npm": "^8.0.3"
Same problem... This is a significant problem.
My environment:
Ubuntu 18.04 NPM 8.3.0 Node v16.13.1
I resolved this by removing
"npm": "^8.1.3",
from the package.json dependencies. and thennpm i && npm audit fix
No idea why it was there to begin with.As an experiment I added
"npm": "^8.2.0",
to the dependencies and the vulnerabilities returned withnpm i && npm audit fix
.I suggest upgrading to the latest npm (if possible) and searching your package.json AND package-lock.json for
"npm": "^
Environment: node: 14.18.1 npm: 8.2.0 (latest as of today)
@kleinfreund I noticed your package-lock.json has
"npm": "^7.0.0",
as a dependency of"@semantic-release/npm": "^8.0.3"
this does not fix the problem for me, I didn't have "npm": "^
in my package.json
Same problem for me.
MacOS 11.6 NPM 8.1.2 Node 16.13.2
Same problem here:
MacOS 12.1 Node v16.13.1 NPM 8.3.0
Same
same
Same
Same
Same
Same
Windows 10 Node v16.13.2 NPM v8.4.0
MacOS Node v16.13.2 NPM v8.1.2
Same issue:
Ubuntu 20.04 Node v16.13.2 NPM 8.3.2
Same issue:
Mac OS Node v16.3.0 NPM v8.1.0
Please upvote 👍 the issue instead of a just commenting on it as a comment notifies everyone waiting for a resolution here and doesn't really add value. (Yes, everyone knows that it is broken across all versions right now.)
same issue: windows 10 node v16.13.2 npm 8.3.0
Same issue. macOS Big Sur 11.6.3 node v16.13.1 npm 8.5.0
Tried by:
It didn't solve the problem.
Running into this issue here on Windows 11 running NPM 8.1.2.
Same issue here
Hello. I have the same Issue:
I have tried all the potential work-arounds I have found listed throughout the Web like removing Package-lock.json and the node_modules Directory, deleting the NPM Cache with --force
etc. As a total beginner who just started with NPM, this is a very bad experience so far. Nonetheless, thank you everyone working on this Project and also for fixing this as soon as possible :)
Same issue trying to run npm install expo-cli
Again, please just upvote the issue if you have nothing new to share. This is critical and everybody here is waiting for a fix. Adding more comments with no helpful update just makes the new visitors go through a longer thread and see no values.
@AliAMQ how do you "upvote" ?
@Z3TA For the purpose of reacting to an issue (e.g. up-voting it), you can find the reaction section at the bottom of the very first post in an issue.
When I search for "npm audit" in the Issues, this issue is on page 2 with 104 "thumbs up", while the issue ranked above it only has 3 "thumbs up". It's however possible to sort by emoji... So the convention to "upvote" is to use the thumbs up reaction on the first post ? @kleinfreund @AliAMQ
@Z3TA Yes, that is a convention. It signals the degree of interest in an issue (e.g. here, many people signal that they experience the same issue) and it also allows issues being sorted by such measures.
Reacting to a message does not trigger in-website or email notifications and is therefore not disrupting anyone. Commenting on an issue however is disruptive and should only be done when there is, for example, new information to contribute. Writing “Same” is not new information because it is already well established that a great number of people experience this issue. This fact is very easy to observe, too, because among other signals, the first post (i.e. the bug report in this case) has all these thumbs up reactions. Everyone who is subscribed to an issue will get notified whenever someone writes “Same”. In the case of this issue, that’s at least 37 people. For what? It doesn’t do anything good. No new information was gained and people get an avoidable notification. Not cool.
Same issue here, any update on this issue? node.js - v14.17.0 npm - 8.7.0 ubuntu - 18.04.6
Same issue, has this been solved yet?
same issue
Please upvote the issue if you believe there should be a resolution.
I just wanted to ask because it's not obvious to me in these posts, but is there a version/combo of npm and/or node that I would need to downgrade to where npm audit fix
would actually do what it was intended to do? Or, is there a separate package resolver that is more up-to-date and could be recommended for this specific operation?
I'm preparing a demo on resolving package vulnerabilities and it would be great if I could show them npm audit fix (or an alternative) vs. manually updating packages, which would be a nightmare in any standard Angular application.
@JakeIwen I tried your solution, but it didn't change anything for me.
I'm also using semantic-release
and therefore had a local npm
installation in my node_modules
, so I completely removed semantic-release
, clean installed my dependencies, double checked that npm
was no longer in the node_modules
and ran npm audit fix
.
The result was the same as before: NPM mentioned some vulnerabilities with available fixes, and that running npm audit fix
would resolve the vulnerabilities, but no changes were made to the package-lock.json
file, and re-running npm audit fix
mentioned the exact same vulnerabilities and available fixes.
Node.js
v16.15.0
and NPMv8.5.5
on Ubuntu20.04.1
via WSL on Windows 11
Whatever messages I received. I followed them manually.
Like
npm i -g reactscripts@latest
I did this for every package that was deprecated and at the end it was better
Please upvote the issue if you believe there should be a resolution.
I just wanted to ask because it's not obvious to me in these posts, but is there a version/combo of npm and/or node that I would need to downgrade to where
npm audit fix
would actually do what it was intended to do? Or, is there a separate package resolver that is more up-to-date and could be recommended for this specific operation?I'm preparing a demo on resolving package vulnerabilities and it would be great if I could show them npm audit fix (or an alternative) vs. manually updating packages, which would be a nightmare in any standard Angular application.
I originally was using npm 8 and as my experience was the same as others here, I decided to downgrade (even though I didn't realize OP was using npm 7).
Ran npm i npm@7
which gave me npm 7.24.2, and for reference I am on node 14.17.4.
Deleted node_modules altogether and the package-lock.json to start fresh.
Then I had to run npm cache clean --force
for a specific issue.
After that, npm audit fix
seems to be working fine for me. Can someone else please confirm this is at least some workaround for the issue with npm 8's npm audit fix at the moment? Just thought it was strange since OP was on npm version 7.19.0.
@nickeeromo Personally, I had this issue ever since I reported it (and in fact quite a while before that). I certainly had it on clean repositories (i.e. freshly cloned) and even on fresh npm installations.
Same here node.js - v14.18.3 npm - 8.12.1 MacOS - 12.3.1
Facing the same issue
node.js - v16.14.2 npm - 8.5.0 MacOS - 12.3.1
Same issue. node.js -16.15.1 npm - 8.11.0 ubuntu - 22.04
I tried what nickeeromo proposed, but even after downgrading to npm v.7.24 i have the same problem
Is there an existing issue for this?
Current Behavior
In my project, when running
npm audit
, one of the reported vulnerable packages is listed with the message “fix available vianpm audit fix
”, but runningnpm audit fix
doesn’t lead to any updated packages and the exact same output as from the earlier run ofnpm audit
is logged.This occurs on https://github.com/kleinfreund/vue-accessible-color-picker/commit/35bec0e751abad872de79657053cb8de07321faa.
Which dependency from my package.json file is actually the vulnerable one I cannot tell with the new output of
npm audit
in npm 7. This is what the output looks like:Expected Behavior
When seeing a message with the clear instruction “fix available via
npm audit fix
”, I expect this to be truthful andnpm audit fix
to always produce a changed package-lock.json file.Steps To Reproduce
git clone https://github.com/kleinfreund/vue-accessible-color-picker.git
git checkout 35bec0e751abad872de79657053cb8de07321faa
to checkout the commit on the project’smain
branch at the time of writing this.npm install
npm audit
. ~Observe how currently this includes an entry with the message “fix available vianpm audit fix
”.~ For this particular advisory, this is no longer the case, unfortunately.npm audit fix
Environment