--force did not force the update

Question

--force did not force the update

qwelias opened this issue 4 years ago · 6 comments

yarn-audit-fix@2.2.1

I can see how --force gets passed to npm audit fix, but somehow npm exits with non-zero and suggest to use --force. not sure what's happening.

$ yarn-audit-fix --force          
Preparing temp assets...
Generating package-lock.json from yarn.lock...
Applying npm audit fix...
invoke /home/qwelias/.nvm/versions/node/v12.18.1/lib/node_modules/yarn-audit-fix/node_modules/.bin/npm audit fix --package-lock-only --force --prefix=/home/qwelias/prj/stuff/test-yarn-audit-fix/node_modules/.cache/yarn-audit-fix
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating lodash to 4.17.20,which is outside your stated dependency range.
npm WARN audit Manual fix required in linked project at ./packages/bar for lodash@<=4.17.18.
npm WARN audit 'cd ./packages/bar' and run 'npm audit' for details.
npm WARN audit Manual fix required in linked project at ./packages/foo for lodash@<=4.17.18.
npm WARN audit 'cd ./packages/foo' and run 'npm audit' for details.

up to date, audited 7 packages in 2s

# npm audit report

lodash  <=4.17.18
Severity: high
Prototype Pollution - https://npmjs.com/advisories/782
Prototype Pollution - https://npmjs.com/advisories/1065
Prototype Pollution - https://npmjs.com/advisories/577
Prototype Pollution - https://npmjs.com/advisories/1523
fix available via `npm audit fix --force`
Will install lodash@4.17.20, which is outside the stated dependency range
packages/bar/node_modules/lodash
packages/foo/node_modules/lodash

1 high severity vulnerability

To address all issues, run:
  npm audit fix --force
{
  status: 1,
  signal: null,
  output: [ null, null, null ],
  pid: 176019,
  stdout: null,
  stderr: null
}

Answer 1 · 2020-09-01T16:56:36.000Z

@qwelias

npm@7 is still in beta, and this is how force flag handling is implemented now:

if (this[_force] && this.auditReport && this.auditReport.topVulns.size) {
      options.add = options.add || []
      options.rm = options.rm || []
      for (const [name, topVuln] of this.auditReport.topVulns.entries()) {
        const {
          packument,
          simpleRange,
          range: avoid,
          topNodes,
          fixAvailable,
        } = topVuln
        for (const node of topNodes) {
          if (node !== this.idealTree) {
            // not something we're going to fix, sorry.  have to cd into
            // that directory and fix it yourself.
            this.log.warn('audit', 'Manual fix required in linked project ' +
              `at ./${node.location} for ${name}@${simpleRange}.\n` +
              `'cd ./${node.location}' and run 'npm audit' for details.`)
            continue
          }

But you may inherit npm version from the environment with --inherit-npm flag.

Answer 2 · 2020-09-01T21:53:56.000Z

@antongolub ah, thanks!
Now it doesn't fail, but the resulting yarn.lock did not change and yarn audit still produces the same output

Answer 3 · 2020-09-02T06:28:58.000Z

Well, we just have to wait for the final version of npm@7. Monorepo support is implemented only there.

Answer 4 · 2020-09-02T12:38:42.000Z

@qwelias

I cannot fix this on my own, sorry. I've mentioned this issue in readme.

Answer 5 · 2020-09-02T21:06:09.000Z

No problem, thanks for explaining!

Answer 6 · 2020-09-04T20:38:54.000Z

🎉 This issue has been resolved in version 2.2.3 🎉

The release is available on:

Your semantic-release bot 📦🚀