cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon npm

[BUG] `npm audit fix` only reports and doesn't fix

Open thany opened this issue 1 year ago • 7 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

I'm running npm audit fix to fix a vulnerability. Output:

> npm audit fix

changed 1 package, and audited 1665 packages in 2s

298 packages are looking for funding
  run `npm fund` for details

# npm audit report

follow-redirects  <1.15.4
Severity: high
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
fix available via `npm audit fix`
node_modules/follow-redirects

1 high severity vulnerability

To address all issues, run:
  npm audit fix

This tells me:

  1. There is indeed a vulnerability
  2. There is a fix for it
  3. That fix can be applied using the npm audit fix command.

So if I then do the (same) npm audit fix command again, just like the output instructs me to do, it just gives the same output again. So this looks to me like it's only able to produce a report, but not a fix.

Expected Behavior

npm audit fix updates the offending package, thereby fixing the vulnerability. When executing this command twice, it should not be possible to see the same vulnerability again if there is a fix for it.

Steps To Reproduce

  1. Have workspaces. Maybe, not sure, it's just what I have.
  2. Have a vulnerability somewhere. Not sure if it matters what kind, if it does matter, then see above output example.
  3. Run npm audit fix from workspaces root, not from an individual workspace

I don't know what causes this. If I knew, I would definitely let you know. So maybe I could ask, what could possibly prevent an audit fix from being applied?

Environment

  • npm: 10.2.5
  • Node.js: 20.10.0
  • OS Name: Windows 10 22H2
  • System Model Name: Precision 5570
  • npm config:
prefix = "C:\\Users\\awesome-username\\AppData\\Roaming\\npm"
legacy-peer-deps = true

(comments stripped out)

thany avatar Jan 09 '24 12:01 thany

I am getting exactly the same effect.
I have updated to npm version 10.5.0.
I am using Windows 11 23H2.

This is the output I get from npm audit fix:

up to date, audited 1247 packages in 20s

148 packages are looking for funding
  run `npm fund` for details

# npm audit report

axios  0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix`
node_modules/axios
  localtunnel  >=1.9.0
  Depends on vulnerable versions of axios
  node_modules/localtunnel
    browser-sync  2.24.0-rc1 - 3.0.0-alpha.2
    Depends on vulnerable versions of localtunnel
    node_modules/browser-sync

undici  <=5.28.2
Undici proxy-authorization header not cleared on cross-origin redirect in fetch - https://github.com/advisories/GHSA-3787-6prv-h9w3
fix available via `npm audit fix`
node_modules/undici
  @angular-devkit/build-angular  16.0.0-next.0 - 16.2.11 || 17.0.0-next.0 - 17.1.0-rc.1
  Depends on vulnerable versions of browser-sync
  Depends on vulnerable versions of undici
  Depends on vulnerable versions of vite
  node_modules/@angular-devkit/build-angular

vite  4.0.0 - 4.5.1
Severity: high
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem - https://github.com/advisories/GHSA-c24v-8rfc-w8vw
fix available via `npm audit fix`
node_modules/vite

6 vulnerabilities (1 low, 3 moderate, 2 high)

To address all issues, run:
  npm audit fix

It doesn't make much sense to suggest I use npm audit fix to address the issues, when that is exactly the command which I entered.

PhilJollans avatar Mar 03 '24 07:03 PhilJollans

I get a similar reporting loop here on macos:

macos: 10.15.7 node: 18.19.0 npm: 10.2.3


$ npm audit fix
up to date, audited 1935 packages in 6s

258 packages are looking for funding
  run `npm fund` for details

# npm audit report

axios  0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix`
node_modules/axios
  localtunnel  >=1.9.0
  Depends on vulnerable versions of axios
  node_modules/localtunnel
    browser-sync  2.24.0-rc1 - 3.0.0-alpha.2
    Depends on vulnerable versions of localtunnel
    node_modules/browser-sync

3 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix

sushidub avatar Mar 18 '24 18:03 sushidub

Same here on manjaro linux (lts kernel). latest version of npm.

Ashistry avatar Jun 18 '24 17:06 Ashistry

Same here on MacOS 14. npm 10.8.1

yhe97 avatar Aug 10 '24 21:08 yhe97

I also experienced this, is there any way to fix this?

lara-jsc avatar Aug 13 '24 02:08 lara-jsc

I have the same problem due to axios. Though I am using axios 1.7.1

npm audit report

axios >=1.3.2 Severity: high

sourcecode71 avatar Aug 13 '24 04:08 sourcecode71

Ditto.

> npm audit
# npm audit report

axios  >=1.3.2
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
fix available via `npm audit fix`
node_modules/axios
  twilio  >=4.19.3
  Depends on vulnerable versions of axios
  node_modules/twilio
  vite-plugin-mkcert  >=1.17.0
  Depends on vulnerable versions of axios
  node_modules/vite-plugin-mkcert

3 high severity vulnerabilities

To address all issues, run:
  npm audit fix

So:

> npm audit fix

changed 1 package, and audited 892 packages in 2s

137 packages are looking for funding
  run `npm fund` for details

# npm audit report

axios  >=1.3.2
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
fix available via `npm audit fix`
node_modules/axios
  twilio  >=4.19.3
  Depends on vulnerable versions of axios
  node_modules/twilio
  vite-plugin-mkcert  >=1.17.0
  Depends on vulnerable versions of axios
  node_modules/vite-plugin-mkcert

3 high severity vulnerabilities

To address all issues, run:
  npm audit fix

But no dice.

Attempt to Fix

Went to npmjs.org, searched for the dependencies (in my case, twlio and vite-plugin-mkcert), grabbed the latest versions, updated package.json with them, then ran npm update – still no luck. Three high severity vulnerabilities gone, but two new (moderate) vulnerabilities. Maybe that's an improvement? Call npm audit fix and found myself back to square one – two high severity vulnerabilities, Twilio downgraded from [email protected] to twilio@^4.19.0 . Still an issue with axios.

npm audit fix --force
npm WARN using --force Recommended protections disabled.

changed 1 package, and audited 896 packages in 2s

137 packages are looking for funding
  run `npm fund` for details

# npm audit report

axios  >=1.3.2
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
fix available via `npm audit fix`
node_modules/axios
  twilio  >=4.19.3
  Depends on vulnerable versions of axios
  node_modules/twilio

2 high severity vulnerabilities

To address all issues, run:
  npm audit fix

greenstick avatar Aug 13 '24 07:08 greenstick