search

npm / cli

the package manager for JavaScript
https://docs.npmjs.com/cli/
Other
8.22k stars 3.01k forks source link

[BUG] `npm audit fix` only reports and doesn't fix #7123

Open thany opened 6 months ago

thany commented 6 months ago

Is there an existing issue for this?

This issue exists in the latest npm version

Current Behavior

I'm running npm audit fix to fix a vulnerability. Output:

> npm audit fix

changed 1 package, and audited 1665 packages in 2s

298 packages are looking for funding
  run `npm fund` for details

# npm audit report

follow-redirects  <1.15.4
Severity: high
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
fix available via `npm audit fix`
node_modules/follow-redirects

1 high severity vulnerability

To address all issues, run:
  npm audit fix

This tells me:

  1. There is indeed a vulnerability
  2. There is a fix for it
  3. That fix can be applied using the npm audit fix command.

So if I then do the (same) npm audit fix command again, just like the output instructs me to do, it just gives the same output again. So this looks to me like it's only able to produce a report, but not a fix.

Expected Behavior

npm audit fix updates the offending package, thereby fixing the vulnerability. When executing this command twice, it should not be possible to see the same vulnerability again if there is a fix for it.

Steps To Reproduce

  1. Have workspaces. Maybe, not sure, it's just what I have.
  2. Have a vulnerability somewhere. Not sure if it matters what kind, if it does matter, then see above output example.
  3. Run npm audit fix from workspaces root, not from an individual workspace

I don't know what causes this. If I knew, I would definitely let you know. So maybe I could ask, what could possibly prevent an audit fix from being applied?

Environment

PhilJollans commented 4 months ago

I am getting exactly the same effect.
I have updated to npm version 10.5.0.
I am using Windows 11 23H2.

This is the output I get from npm audit fix:

up to date, audited 1247 packages in 20s

148 packages are looking for funding
  run `npm fund` for details

# npm audit report

axios  0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix`
node_modules/axios
  localtunnel  >=1.9.0
  Depends on vulnerable versions of axios
  node_modules/localtunnel
    browser-sync  2.24.0-rc1 - 3.0.0-alpha.2
    Depends on vulnerable versions of localtunnel
    node_modules/browser-sync

undici  <=5.28.2
Undici proxy-authorization header not cleared on cross-origin redirect in fetch - https://github.com/advisories/GHSA-3787-6prv-h9w3
fix available via `npm audit fix`
node_modules/undici
  @angular-devkit/build-angular  16.0.0-next.0 - 16.2.11 || 17.0.0-next.0 - 17.1.0-rc.1
  Depends on vulnerable versions of browser-sync
  Depends on vulnerable versions of undici
  Depends on vulnerable versions of vite
  node_modules/@angular-devkit/build-angular

vite  4.0.0 - 4.5.1
Severity: high
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem - https://github.com/advisories/GHSA-c24v-8rfc-w8vw
fix available via `npm audit fix`
node_modules/vite

6 vulnerabilities (1 low, 3 moderate, 2 high)

To address all issues, run:
  npm audit fix

It doesn't make much sense to suggest I use npm audit fix to address the issues, when that is exactly the command which I entered.

sushidub commented 4 months ago

I get a similar reporting loop here on macos:

macos: 10.15.7 node: 18.19.0 npm: 10.2.3


$ npm audit fix
up to date, audited 1935 packages in 6s

258 packages are looking for funding
  run `npm fund` for details

# npm audit report

axios  0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix`
node_modules/axios
  localtunnel  >=1.9.0
  Depends on vulnerable versions of axios
  node_modules/localtunnel
    browser-sync  2.24.0-rc1 - 3.0.0-alpha.2
    Depends on vulnerable versions of localtunnel
    node_modules/browser-sync

3 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix
ashzure-github commented 1 month ago

Same here on manjaro linux (lts kernel). latest version of npm.