npm
[BUG] npm 7.6.0 audit fix --force recommends running npm audit fix --force (the same command) to fix issues.
Current Behavior:
npm audit fix --force recommends running npm audit fix --force (the same command) to fix issues.
This obviously makes no sense. npm audit fix --force should itself fix the issues reported.
$ npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating evergreen-ui to 5.1.2,which is a SemVer major change.
added 2 packages, removed 4 packages, changed 5 packages, and audited 2749 packages in 7s
105 packages are looking for funding
run `npm fund` for details
# npm audit report
node-fetch <=2.6.0 || 3.0.0-beta.1 - 3.0.0-beta.8
Denial of Service - https://npmjs.com/advisories/1556
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/glamor/node_modules/node-fetch
node_modules/react-event-listener/node_modules/node-fetch
isomorphic-fetch 2.0.0 - 2.2.1
Depends on vulnerable versions of node-fetch
node_modules/glamor/node_modules/isomorphic-fetch
node_modules/react-event-listener/node_modules/isomorphic-fetch
fbjs 0.7.0 - 1.0.0
Depends on vulnerable versions of isomorphic-fetch
node_modules/glamor/node_modules/fbjs
node_modules/react-event-listener/node_modules/fbjs
glamor >=2.17.10
Depends on vulnerable versions of fbjs
node_modules/glamor
evergreen-ui *
Depends on vulnerable versions of glamor
Depends on vulnerable versions of react-scrollbar-size
node_modules/evergreen-ui
react-event-listener 0.2.0 - 0.3.0 || 0.4.4 - 0.5.10
Depends on vulnerable versions of fbjs
node_modules/react-event-listener
react-scrollbar-size 1.0.0 - 2.1.0
Depends on vulnerable versions of react-event-listener
node_modules/react-scrollbar-size
7 low severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Expected Behavior:
npm fix ---force should resolve the issues by updating dependencies.
Steps To Reproduce:
Detail above might be enough, but ifnot, LMK and I'll produce a redacted package.json
Environment:
- OS: Ubuntu 20.04
- Node: v14.15.1
- npm: 7.6.0
I am also facing same issue with the command npm audit fix. When I run this command I am asked to run the same command to fix the issues.
Environment:
- OS: MacOS Catalina Version 10.15.7
- Node: v14.16.0
- NPM: 7.6.3
@mikemaccana :wave: can you shoot over the redacted package.json to help us figure out what's going on? Apologize for the delay triage but appreciate you bringing this up.
FYI, the bug is still present in npm 9/Node 18
- npm 9.6.1
- node v18.12.1
(I am getting alternative upgrades and downgrades similar to (if not exactly the same problem as) https://github.com/npm/cli/issues/5046)
I have been running into this issue while trying to fix the webpack/OpenSSL bug by running npm audit fix in this repo using react scripts : https://github.com/nexmo-se/video-express-react-app
Hi there, is there any news on this bug? I would settle for a workaround as well, but getting all these vulnerability warnings on every npm install is kind of annoying....
I've upgraded to NPM 10.2.0 / Node 21.1.0 and am seeing downgrades of a bunch of packages including gulp as a function of using --force, which I run to try to fix problems with lodash. help?
Still experiencing this bug — npm 10.9.2 / Node 22.14.0. npm audit fix --force is looping on upgrading/downgrading react-scripts and recommending to fix issues by running npm audit fix --force
