cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[BUG] npm audit instructs me to run “npm audit fix” but it doesn’t update any packages

Open kleinfreund opened this issue 4 years ago • 69 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Current Behavior

In my project, when running npm audit, one of the reported vulnerable packages is listed with the message “fix available via npm audit fix”, but running npm audit fix doesn’t lead to any updated packages and the exact same output as from the earlier run of npm audit is logged.

This occurs on https://github.com/kleinfreund/vue-accessible-color-picker/commit/35bec0e751abad872de79657053cb8de07321faa.

Which dependency from my package.json file is actually the vulnerable one I cannot tell with the new output of npm audit in npm 7. This is what the output looks like:

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix`
node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/css-select
    svgo  1.0.0 - 2.3.0
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo

Expected Behavior

When seeing a message with the clear instruction “fix available via npm audit fix”, I expect this to be truthful and npm audit fix to always produce a changed package-lock.json file.

Steps To Reproduce

  1. Run git clone https://github.com/kleinfreund/vue-accessible-color-picker.git
  2. Run git checkout 35bec0e751abad872de79657053cb8de07321faa to checkout the commit on the project’s main branch at the time of writing this.
  3. Run npm install
  4. Run npm audit. ~Observe how currently this includes an entry with the message “fix available via npm audit fix”.~ For this particular advisory, this is no longer the case, unfortunately.
  5. Run npm audit fix

Environment

  • OS: Ubuntu 20.04
  • Node: v14.17.1
  • npm: 7.19.0

kleinfreund avatar Jun 26 '21 17:06 kleinfreund

Same issue here in my project (https://github.com/trickfilm400/vantage-node), Troubleshooting steps tried:

  • deleting package-lock.json
  • deleting node_modules/ folder

this did not helped in any way

Environment:

  • Windows 10
  • npm 7.19.0
  • node v14.17.0

image Screenshot of console output for more information if needed

Trickfilm400 avatar Jun 28 '21 20:06 Trickfilm400

i'm having the same problem in my project https://github.com/chase-moskal/xiome

chase-moskal avatar Jul 03 '21 12:07 chase-moskal

Encountering the exact same issue. Enviroment: Windows: 10 Node: 16.9.1 NPM: 7.24.2

Rationum avatar Oct 11 '21 01:10 Rationum

Same issue, I ran the suggested force and I don't get better results. Do we need to manually add the updates for each package?

jeffreywdonahue avatar Oct 17 '21 17:10 jeffreywdonahue

I have the same issue. I attach a screenshot, but there are lot more vuln packages than these 2, which cannot be "fixed".

Screenshot 2021-11-03 at 09 57 35

tyukesz avatar Nov 03 '21 08:11 tyukesz

I'm seeing the same thing on numerous packages as well Win 11 Node 14.16.0 npm 7.6.3

image

cpolanish avatar Nov 05 '21 16:11 cpolanish

Issue also exist in

$ node --version
v16.13.0
$ npm --version
8.1.0

frudolph77 avatar Nov 14 '21 01:11 frudolph77

Same issue here, getting worse and worse each time I run npm audit fix --force! :(

G:\>node --version v16.13.0 G:\>npm --version 8.1.4

Started with:

1 moderate severity vulnerability To address all issues, run: npm audit fix

But after running npm audit fix --force, it then said 27 vulnerabilities (16 moderate, 9 high, 2 critical)

And after running npm audit fix --force again, it said 53 vulnerabilities (12 low, 23 moderate, 16 high, 2 critical)

One time it said 66 vulnerabilities (54 moderate, 11 high, 1 critical), and after that I left it running in a loop (for /L %i in (1,1,50) do npm audit fix --force) which alternated between 27 and 53 vulnerabilities till I killed it.

I'm now attaching all output from the above, which shows the modules it was reporting.

_tmp.txt

petera703 avatar Nov 21 '21 19:11 petera703

Is there any hope of this issue being resolved?

RienBijl avatar Nov 23 '21 08:11 RienBijl

same problem here.

Npm 8.1.4 Node 17.1.0 WIndows 11

marte3707 avatar Nov 25 '21 22:11 marte3707

+1, npm audit fix worsens the issue(s), and downgrades packages

aubreyyan avatar Nov 30 '21 06:11 aubreyyan

I resolved this by removing "npm": "^8.1.3", from the package.json dependencies. and then npm i && npm audit fix No idea why it was there to begin with.

As an experiment I added "npm": "^8.2.0", to the dependencies and the vulnerabilities returned with npm i && npm audit fix.

I suggest upgrading to the latest npm (if possible) and searching your package.json AND package-lock.json for "npm": "^

Environment: node: 14.18.1 npm: 8.2.0 (latest as of today)

@kleinfreund I noticed your package-lock.json has "npm": "^7.0.0", as a dependency of "@semantic-release/npm": "^8.0.3"

JakeIwen avatar Dec 03 '21 01:12 JakeIwen

Same problem... This is a significant problem.

My environment:

Ubuntu 18.04 NPM 8.3.0 Node v16.13.1

inf3rnus avatar Jan 07 '22 22:01 inf3rnus

I resolved this by removing "npm": "^8.1.3", from the package.json dependencies. and then npm i && npm audit fix No idea why it was there to begin with.

As an experiment I added "npm": "^8.2.0", to the dependencies and the vulnerabilities returned with npm i && npm audit fix.

I suggest upgrading to the latest npm (if possible) and searching your package.json AND package-lock.json for "npm": "^

Environment: node: 14.18.1 npm: 8.2.0 (latest as of today)

@kleinfreund I noticed your package-lock.json has "npm": "^7.0.0", as a dependency of "@semantic-release/npm": "^8.0.3"

this does not fix the problem for me, I didn't have "npm": "^ in my package.json

aubreyyan avatar Jan 07 '22 23:01 aubreyyan

Same problem for me.

MacOS 11.6 NPM 8.1.2 Node 16.13.2

andrewtannernumiko avatar Jan 14 '22 12:01 andrewtannernumiko

Same problem here:

MacOS 12.1 Node v16.13.1 NPM 8.3.0

VasilisTako avatar Jan 17 '22 20:01 VasilisTako

Same

AlexandreLage avatar Jan 18 '22 19:01 AlexandreLage

same

avasilic avatar Jan 23 '22 08:01 avasilic

Same

lprekon avatar Jan 23 '22 18:01 lprekon

Same

raffaeltavares avatar Jan 27 '22 05:01 raffaeltavares

Same

mytechnotalent avatar Jan 28 '22 12:01 mytechnotalent

Same

mytechnotalent avatar Jan 30 '22 11:01 mytechnotalent

Windows 10 Node v16.13.2 NPM v8.4.0

GhostGlitch avatar Jan 30 '22 14:01 GhostGlitch

MacOS Node v16.13.2 NPM v8.1.2

mytechnotalent avatar Jan 31 '22 01:01 mytechnotalent

Same issue:

Ubuntu 20.04 Node v16.13.2 NPM 8.3.2

thucngyyen avatar Feb 01 '22 19:02 thucngyyen

Same issue:

Mac OS Node v16.3.0 NPM v8.1.0

the-homeless-god avatar Feb 03 '22 21:02 the-homeless-god

Please upvote 👍 the issue instead of a just commenting on it as a comment notifies everyone waiting for a resolution here and doesn't really add value. (Yes, everyone knows that it is broken across all versions right now.)

johanneswuerbach avatar Feb 04 '22 09:02 johanneswuerbach

same issue: windows 10 node v16.13.2 npm 8.3.0

Joydeep-Kundu avatar Feb 06 '22 10:02 Joydeep-Kundu

Same issue: Windows 10 Node v16.13.0 npm 8.1.0

dgarciasarai avatar Feb 14 '22 13:02 dgarciasarai

Same issue. macOS Big Sur 11.6.3 node v16.13.1 npm 8.5.0

Tried by:

  • deleting package-lock.json
  • deleting node_modules folder
  • running ncu -u
  • running npm update
  • and finally running again npm install

It didn't solve the problem.

cionz0 avatar Feb 17 '22 16:02 cionz0

Running into this issue here on Windows 11 running NPM 8.1.2.

tylerlazenby avatar Feb 25 '22 16:02 tylerlazenby