[BUG] npm audit fix doesn't work
Closed this issue · 96 comments
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
In my project, when running npm audit, one of the reported vulnerable packages is listed with the message “fix available via npm audit fix”, but running npm audit fix doesn’t lead to any updated packages and the exact same output as from the earlier run of npm audit is logged.
This occurs on kleinfreund/vue-accessible-color-picker@35bec0e.
Which dependency from my package.json file is actually the vulnerable one I cannot tell with the new output of npm audit in npm 7. This is what the output looks like:
css-what <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix`
node_modules/css-what
css-select <=3.1.2
Depends on vulnerable versions of css-what
node_modules/css-select
svgo 1.0.0 - 2.3.0
Depends on vulnerable versions of css-select
node_modules/svgo
postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
Expected Behavior
When seeing a message with the clear instruction “fix available via npm audit fix”, I expect this to be truthful and npm audit fix to always produce a changed package-lock.json file.
Steps To Reproduce
- Run
git clone https://github.com/kleinfreund/vue-accessible-color-picker.git - Run
git checkout 35bec0e751abad872de79657053cb8de07321faato checkout the commit on the project’smainbranch at the time of writing this. - Run
npm install - Run
npm audit.Observe how currently this includes an entry with the message “fix available viaFor this particular advisory, this is no longer the case, unfortunately.npm audit fix”. - Run
npm audit fix
Environment
- OS: Ubuntu 20.04
- Node: v14.17.1
- npm: 7.19.0
Same issue here in my project (https://github.com/trickfilm400/vantage-node),
Troubleshooting steps tried:
- deleting package-lock.json
- deleting node_modules/ folder
this did not helped in any way
Environment:
- Windows 10
- npm 7.19.0
- node v14.17.0
Screenshot of console output for more information if needed
i'm having the same problem in my project https://github.com/chase-moskal/xiome
Encountering the exact same issue.
Enviroment:
Windows: 10
Node: 16.9.1
NPM: 7.24.2
Same issue, I ran the suggested force and I don't get better results. Do we need to manually add the updates for each package?
I have the same issue. I attach a screenshot, but there are lot more vuln packages than these 2, which cannot be "fixed".
I'm seeing the same thing on numerous packages as well
Win 11
Node 14.16.0
npm 7.6.3
Issue also exist in
$ node --version
v16.13.0
$ npm --version
8.1.0
Same issue here, getting worse and worse each time I run npm audit fix --force! :(
G:\>node --version v16.13.0 G:\>npm --version 8.1.4
Started with:
1 moderate severity vulnerability To address all issues, run: npm audit fix
But after running npm audit fix --force, it then said 27 vulnerabilities (16 moderate, 9 high, 2 critical)
And after running npm audit fix --force again, it said 53 vulnerabilities (12 low, 23 moderate, 16 high, 2 critical)
One time it said 66 vulnerabilities (54 moderate, 11 high, 1 critical), and after that I left it running in a loop (for /L %i in (1,1,50) do npm audit fix --force) which alternated between 27 and 53 vulnerabilities till I killed it.
I'm now attaching all output from the above, which shows the modules it was reporting.
Is there any hope of this issue being resolved?
same problem here.
Npm 8.1.4
Node 17.1.0
WIndows 11
+1, npm audit fix worsens the issue(s), and downgrades packages
I resolved this by removing "npm": "^8.1.3", from the package.json dependencies.
and then npm i && npm audit fix
No idea why it was there to begin with.
As an experiment I added "npm": "^8.2.0", to the dependencies and the vulnerabilities returned with npm i && npm audit fix.
I suggest upgrading to the latest npm (if possible) and searching your package.json AND package-lock.json for "npm": "^
Environment:
node: 14.18.1
npm: 8.2.0 (latest as of today)
@kleinfreund I noticed your package-lock.json has "npm": "^7.0.0", as a dependency of "@semantic-release/npm": "^8.0.3"
Same problem... This is a significant problem.
My environment:
Ubuntu 18.04
NPM 8.3.0
Node v16.13.1
I resolved this by removing
"npm": "^8.1.3",from the package.json dependencies. and thennpm i && npm audit fixNo idea why it was there to begin with.As an experiment I added
"npm": "^8.2.0",to the dependencies and the vulnerabilities returned withnpm i && npm audit fix.I suggest upgrading to the latest npm (if possible) and searching your package.json AND package-lock.json for
"npm": "^Environment: node: 14.18.1 npm: 8.2.0 (latest as of today)
@kleinfreund I noticed your package-lock.json has
"npm": "^7.0.0",as a dependency of"@semantic-release/npm": "^8.0.3"
this does not fix the problem for me, I didn't have "npm": "^ in my package.json
Same problem for me.
MacOS 11.6
NPM 8.1.2
Node 16.13.2
Same problem here:
MacOS 12.1
Node v16.13.1
NPM 8.3.0
Same
same
Same
Same
Same
Same
Windows 10
Node v16.13.2
NPM v8.4.0
MacOS
Node v16.13.2
NPM v8.1.2
Same issue:
Ubuntu 20.04
Node v16.13.2
NPM 8.3.2
Same issue:
Mac OS
Node v16.3.0
NPM v8.1.0
Please upvote 👍 the issue instead of a just commenting on it as a comment notifies everyone waiting for a resolution here and doesn't really add value. (Yes, everyone knows that it is broken across all versions right now.)
same issue:
windows 10
node v16.13.2
npm 8.3.0
Same issue.
macOS Big Sur 11.6.3
node v16.13.1
npm 8.5.0
Tried by:
- deleting package-lock.json
- deleting node_modules folder
- running ncu -u
- running npm update
- and finally running again npm install
It didn't solve the problem.
Running into this issue here on Windows 11 running NPM 8.1.2.
Same issue here
Hello. I have the same Issue:
- Windows: 10, 21H2, 19044.1586, x64
- Node Version: 17.8.0, x64
- NPM Version: 8.5.5, x64
I have tried all the potential work-arounds I have found listed throughout the Web like removing Package-lock.json and the node_modules Directory, deleting the NPM Cache with --force etc. As a total beginner who just started with NPM, this is a very bad experience so far. Nonetheless, thank you everyone working on this Project and also for fixing this as soon as possible :)
#StaySafeStayHealthyEveryone
Same issue trying to run npm install expo-cli
Again, please just upvote the issue if you have nothing new to share. This is critical and everybody here is waiting for a fix. Adding more comments with no helpful update just makes the new visitors go through a longer thread and see no values.
@Z3TA For the purpose of reacting to an issue (e.g. up-voting it), you can find the reaction section at the bottom of the very first post in an issue.
When I search for "npm audit" in the Issues, this issue is on page 2 with 104 "thumbs up", while the issue ranked above it only has 3 "thumbs up". It's however possible to sort by emoji... So the convention to "upvote" is to use the thumbs up reaction on the first post ? @kleinfreund @AliAMQ
@Z3TA Yes, that is a convention. It signals the degree of interest in an issue (e.g. here, many people signal that they experience the same issue) and it also allows issues being sorted by such measures.
Reacting to a message does not trigger in-website or email notifications and is therefore not disrupting anyone. Commenting on an issue however is disruptive and should only be done when there is, for example, new information to contribute. Writing “Same” is not new information because it is already well established that a great number of people experience this issue. This fact is very easy to observe, too, because among other signals, the first post (i.e. the bug report in this case) has all these thumbs up reactions. Everyone who is subscribed to an issue will get notified whenever someone writes “Same”. In the case of this issue, that’s at least 37 people. For what? It doesn’t do anything good. No new information was gained and people get an avoidable notification. Not cool.
Same issue here, any update on this issue?
node.js - v14.17.0
npm - 8.7.0
ubuntu - 18.04.6
Same issue, has this been solved yet?
same issue
Please upvote the issue if you believe there should be a resolution.
I just wanted to ask because it's not obvious to me in these posts, but is there a version/combo of npm and/or node that I would need to downgrade to where npm audit fix would actually do what it was intended to do? Or, is there a separate package resolver that is more up-to-date and could be recommended for this specific operation?
I'm preparing a demo on resolving package vulnerabilities and it would be great if I could show them npm audit fix (or an alternative) vs. manually updating packages, which would be a nightmare in any standard Angular application.
@JakeIwen I tried your solution, but it didn't change anything for me.
I'm also using semantic-release and therefore had a local npm installation in my node_modules, so I completely removed semantic-release, clean installed my dependencies, double checked that npm was no longer in the node_modules and ran npm audit fix.
The result was the same as before: NPM mentioned some vulnerabilities with available fixes, and that running npm audit fix would resolve the vulnerabilities, but no changes were made to the package-lock.json file, and re-running npm audit fix mentioned the exact same vulnerabilities and available fixes.
Node.js
v16.15.0and NPMv8.5.5on Ubuntu20.04.1via WSL on Windows 11
Whatever messages I received. I followed them manually.
Like
npm i -g reactscripts@latest
I did this for every package that was deprecated and at the end it was better
Please upvote the issue if you believe there should be a resolution.
I just wanted to ask because it's not obvious to me in these posts, but is there a version/combo of npm and/or node that I would need to downgrade to where
npm audit fixwould actually do what it was intended to do? Or, is there a separate package resolver that is more up-to-date and could be recommended for this specific operation?I'm preparing a demo on resolving package vulnerabilities and it would be great if I could show them npm audit fix (or an alternative) vs. manually updating packages, which would be a nightmare in any standard Angular application.
I originally was using npm 8 and as my experience was the same as others here, I decided to downgrade (even though I didn't realize OP was using npm 7).
Ran npm i npm@7 which gave me npm 7.24.2, and for reference I am on node 14.17.4.
Deleted node_modules altogether and the package-lock.json to start fresh.
Then I had to run npm cache clean --force for a specific issue.
After that, npm audit fix seems to be working fine for me. Can someone else please confirm this is at least some workaround for the issue with npm 8's npm audit fix at the moment? Just thought it was strange since OP was on npm version 7.19.0.
@nickeeromo Personally, I had this issue ever since I reported it (and in fact quite a while before that). I certainly had it on clean repositories (i.e. freshly cloned) and even on fresh npm installations.
Same here
node.js - v14.18.3
npm - 8.12.1
MacOS - 12.3.1
Facing the same issue
node.js - v16.14.2
npm - 8.5.0
MacOS - 12.3.1
Same issue.
node.js -16.15.1
npm - 8.11.0
ubuntu - 22.04
I tried what nickeeromo proposed, but even after downgrading to npm v.7.24 i have the same problem
Apparently, there is no solution to the problem.
The only thing I tried was temporarily un-installing the package giving me the most problems
I am also having this issue where it cycles between vulnerabilities
My solution was running:
sudo npm install -g npm@8.13.1
I hope it helps.
I tried on 8.13.1 as per @kontranet's advice but it didn't fix it for me :-(
Same here. but one thing I would like to point out that I was not aware.
$ npm update <package name> Here the package name with vulnerability and not necessary your direct package.
Like:
$ npm audit fix
up to date, audited 437 packages in 2s
34 packages are looking for funding
run `npm fund` for details
# npm audit report
minimist <1.2.6
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/tap/node_modules/minimist
1 critical severity vulnerability
To address all issues, run:
npm audit fix
Run npm update for minimist (npm update minimist). It worked for me for and there is no vulnerability with minimist.
$ npm update minimist
removed 4 packages, and audited 433 packages in 2s
34 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
$ npm audit
found 0 vulnerabilitiesIs my observation correct, in sense if npm audit fix is not working we can individually update the vulnerable package?
I never had this issue before but I got it immediately after I installed "nodemailer" with "npm install". It's probably not related but that is how I got the problem.
I was told on a few discord servers to just ignore the vulnerabilities but I'm having the same issue. Went from 6 high issues to 69 vulnerabilities (11 low, 20 moderate, 35 high, 3 critical) after running audit fix --force :/
Same error
node 16.16.0 // npm 8.16.0
npm audit report
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - GHSA-rp65-9cf3-cjxr
fix available via npm audit fix --force
Will install react-scripts@2.1.3, which is a breaking change
node_modules/react-scripts/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/react-scripts/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/react-scripts/node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/react-scripts/node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/react-scripts/node_modules/@svgr/webpack
react-scripts >=2.1.4
Depends on vulnerable versions of @svgr/webpack
node_modules/react-scripts
6 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Installing and using npm-check-updates worked for me; went from 10 vulnerabilities to 4.
I was facing the same issue, but I ran npm update and it solved the vulnerabilities for me.
> npm audit fix
...
5 high severity vulnerabilities
To address all issues, run:
npm audit fix
> npm update
added 105 packages, removed 743 packages, changed 153 packages, and audited 1347 packages in 1m
120 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
Not really sure why it worked, but I hope it works for someone else facing this.
npm update
Finally solved the problem for me.
Please don’t propose npm update as a solution/workaround for this issue. npm update updates all dependencies which is wholly different than updating only dependencies with known vulnerabilities to their first version without said vulnerability.
The former needs much more supervision and care to make sure the changed dependency tree doesn’t break your project.
tengo el mismo problema intente descargar npm i @material-ui/core y me sale constantemente ese error
Same here.
Node version: v14.17.6
npm --version: 6.14.15
Same here.
node --version: v18.6.0
npm --version: 8.15.0
Same!!
node --version
v16.17.0
npm --version
8.15.0
Same!!
node --version
v16.17.0
npm --version
8.19.1
npm update , fixed this issue for me
same issue
npm -v
9.1.1
node -v
v18.12.1
Same issue.
npm update changed nothing.
node --version
v18.12.1
npm --version
9.1.2
Same problem.
node --version
v18.6.0
npm --version
8.13.2
same here.
node --version
v16.18.0
npm --version
8.19.2
Closing this issue as there doesn't seem to be an interest in acknowledging or fixing it.
I've stopped using (or trying to use) npm audit fix completely and instead update vulnerable dependencies by hand (completely manual).
Closing this issue as there doesn't seem to be an interest in acknowledging or fixing it.
I've stopped using (or trying to use)
npm audit fixcompletely and instead update vulnerable dependencies by hand (completely manual).
same here. was forced to use the "overrides" section of packages.json to force the fixes.
It does work, just not for all packages. It would be handy to get some feedback from some developer's investigation, so we can all know what to do to get rid of the vulnerabilities.
Maybe the problem is on the vendors packages side?
For an example, mine npm audit fix fixed the critical issue with loader-utils 2.0.0 - 2.0.3, but it didn't solve the problems with d3-color <3.1.0.
Maybe do not mention "fix available via npm audit fix" if it is not truth.
Same problem here:
Ubuntu 20.04.5
Node v18.12.1
NPM 9.2.0
Having the same issue.
Windows 11/WSL2
Ubuntu: 22.04.1 LT
Node: v19.3.0
npm: 9.2.0
Related to:
json5 <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
Some details
Two different projects on the same machine.
npm audit fix --force the recommendation for the project that resulted in a success. (hosted on gitub.com)
npm audit fix the recommendation for the project that fails. (hosted on bitbucket.com)
Regarding npm audit fix and the project that failed.
package.json and package-lock.json shows "json5": "^2.2.2" which is the latest as of posting and the proposed solution, however npm audit report still displays
json5 <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/xml-loader/node_modules/json5
loader-utils <=1.4.2
Depends on vulnerable versions of json5
node_modules/xml-loader/node_modules/loader-utils
xml-loader >=1.1.0
Depends on vulnerable versions of loader-utils
node_modules/xml-loader
3 high severity vulnerabilities
To address all issues, run:
npm audit fix
npm update <package name> does not appear to change anything
npm update
did you solve this eventually?
did you solve this eventually?
Yes. In this case the WSL instance could not make changes since the files were hosted in a windows directory.
The solution at the time was to move the project into the Ubuntu environment.
was having this issue. 'npm rebuild' ended up solving it for me..
If still experiencing this issue, try this
$ npm install -g npm-check-updates
$ ncu -u
$ npm install
$ npm audit fix --force
This issue is known for years and it looks like there is no desire to fix it...
But for security purpose it would be appreciated
If no one wants to fix it and it's broken than why we are "officially" being recommended to use it in the console?
To address issues that do not require attention, run:
npm audit fix
Remove that misleading note and developers will (at least partially) stop wasting their time...
I just install new react project and already have this annoying message about vulnerabilities. It's unbearable
I have the same issue (windows 2016 server)
>npm audit fix
up to date, audited 207 packages in 882ms
28 packages are looking for funding
run `npm fund` for details
# npm audit report
word-wrap *
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
optionator 0.8.3 - 0.9.1
Depends on vulnerable versions of word-wrap
node_modules/optionator
2 moderate severity vulnerabilities
To address all issues, run:
npm audit fix
If still experiencing this issue, try this
$ npm install -g npm-check-updates $ ncu -u $ npm install $ npm audit fix --force
Tried this issue, but it just undid the ncu updates and downgraded everything.
If still experiencing this issue, try this
$ npm install -g npm-check-updates $ ncu -u $ npm install $ npm audit fix --force
This kind of worked for me. A few were still hanging on so I had to cd into the actual package's directory and then run ncu to get them to update.
what's the point in closing the bug if it's not fixed? I can't understand this. The npm's behaviour is really misleading, the command can't fix anything but keeps suggesting it, removing package-lock doesn't help at all. It seems to be a completely broken feature. Please remove it
what's the point in closing the bug if it's not fixed? I can't understand this.
I understand that this is a frustrating state of npm to be in, but I don’t see how keeping this issue open helps anyone. I opened it well over two years ago and it was for the longest time the most upvoted open issue in npm/cli by far. I explained why I closed it, too. Note that the issue wasn’t closed by npm, but by me as the one who reported it initially.
npm can open it again at any time and signal if they have any intention of addressing it.
yes, but honestly it doesn't seem to be a valid reason. it's up to you indeed as you're the topic started. but closed issues never get any attention.
I have the same issue with the ip package. npm audit fix did not fix it, but installing the package and updating it manually helped.
I have the same issue with the
ippackage.npm audit fixdid not fix it, but installing the package and updating it manually helped.
That's why you should use npm-check-updates. It's a CLI tool that helps you to manage your packages ugrades
Before trying to fix anything, npm audit should at least tell you which of your packages depends on the vulnerable one(s).
Aqui está o que você pode fazer para atualizar o react-scripts:
Atualizar o react-scripts para a versão mais recente: Execute o comando abaixo para atualizar o pacote:
npm install react-scripts@latest
Isso vai atualizar o react-scripts para a versão 5.0.1 (ou a versão mais recente).
Verificar novamente: Após a atualização, você pode executar o comando npm outdated novamente para garantir que a atualização foi bem-sucedida.
Verificar se há outras dependências desatualizadas: Se houver mais pacotes desatualizados, você pode seguir o mesmo procedimento para atualizá-los. Use o comando:
npm update
Isso atualizará todas as dependências para a versão mais recente compatível, conforme definido no seu package.json.
Testar o projeto: Após atualizar o react-scripts, execute o seu projeto para verificar se tudo continua funcionando corretamente:
npm start
Esse procedimento deve corrigir as vulnerabilidades associadas à versão desatualizada do react-scripts.
For anyone else who's still finding this issue, it can arise when having a dependency on a local project with npm install --prefix /path/to/project