Open thany opened 6 months ago
I am getting exactly the same effect.
I have updated to npm version 10.5.0.
I am using Windows 11 23H2.
This is the output I get from npm audit fix
:
up to date, audited 1247 packages in 20s
148 packages are looking for funding
run `npm fund` for details
# npm audit report
axios 0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix`
node_modules/axios
localtunnel >=1.9.0
Depends on vulnerable versions of axios
node_modules/localtunnel
browser-sync 2.24.0-rc1 - 3.0.0-alpha.2
Depends on vulnerable versions of localtunnel
node_modules/browser-sync
undici <=5.28.2
Undici proxy-authorization header not cleared on cross-origin redirect in fetch - https://github.com/advisories/GHSA-3787-6prv-h9w3
fix available via `npm audit fix`
node_modules/undici
@angular-devkit/build-angular 16.0.0-next.0 - 16.2.11 || 17.0.0-next.0 - 17.1.0-rc.1
Depends on vulnerable versions of browser-sync
Depends on vulnerable versions of undici
Depends on vulnerable versions of vite
node_modules/@angular-devkit/build-angular
vite 4.0.0 - 4.5.1
Severity: high
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem - https://github.com/advisories/GHSA-c24v-8rfc-w8vw
fix available via `npm audit fix`
node_modules/vite
6 vulnerabilities (1 low, 3 moderate, 2 high)
To address all issues, run:
npm audit fix
It doesn't make much sense to suggest I use npm audit fix
to address the issues, when that is exactly the command which I entered.
I get a similar reporting loop here on macos:
macos: 10.15.7 node: 18.19.0 npm: 10.2.3
$ npm audit fix
up to date, audited 1935 packages in 6s
258 packages are looking for funding
run `npm fund` for details
# npm audit report
axios 0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix`
node_modules/axios
localtunnel >=1.9.0
Depends on vulnerable versions of axios
node_modules/localtunnel
browser-sync 2.24.0-rc1 - 3.0.0-alpha.2
Depends on vulnerable versions of localtunnel
node_modules/browser-sync
3 moderate severity vulnerabilities
To address all issues, run:
npm audit fix
Same here on manjaro linux (lts kernel). latest version of npm.
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
I'm running
npm audit fix
to fix a vulnerability. Output:This tells me:
npm audit fix
command.So if I then do the (same)
npm audit fix
command again, just like the output instructs me to do, it just gives the same output again. So this looks to me like it's only able to produce a report, but not a fix.Expected Behavior
npm audit fix
updates the offending package, thereby fixing the vulnerability. When executing this command twice, it should not be possible to see the same vulnerability again if there is a fix for it.Steps To Reproduce
npm audit fix
from workspaces root, not from an individual workspaceI don't know what causes this. If I knew, I would definitely let you know. So maybe I could ask, what could possibly prevent an audit fix from being applied?
Environment
(comments stripped out)