[BUG] npm audit fix doesn't work

[kleinfreund]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

In my project, when running npm audit, one of the reported vulnerable packages is listed with the message “fix available via npm audit fix”, but running npm audit fix doesn’t lead to any updated packages and the exact same output as from the earlier run of npm audit is logged.

This occurs on kleinfreund/vue-accessible-color-picker@35bec0e.

Which dependency from my package.json file is actually the vulnerable one I cannot tell with the new output of npm audit in npm 7. This is what the output looks like:

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix`
node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/css-select
    svgo  1.0.0 - 2.3.0
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo

Expected Behavior

When seeing a message with the clear instruction “fix available via npm audit fix”, I expect this to be truthful and npm audit fix to always produce a changed package-lock.json file.

Steps To Reproduce

1. Run git clone https://github.com/kleinfreund/vue-accessible-color-picker.git
2. Run git checkout 35bec0e751abad872de79657053cb8de07321faa to checkout the commit on the project’s main branch at the time of writing this.
3. Run npm install
4. Run npm audit. Observe how currently this includes an entry with the message “fix available via npm audit fix”. For this particular advisory, this is no longer the case, unfortunately.
5. Run npm audit fix

Environment

• OS: Ubuntu 20.04
• Node: v14.17.1
• npm: 7.19.0

[Trickfilm400]

Same issue here in my project (https://github.com/trickfilm400/vantage-node),
Troubleshooting steps tried:

• deleting package-lock.json
• deleting node_modules/ folder

this did not helped in any way

Environment:

• Windows 10
• npm 7.19.0
• node v14.17.0

Screenshot of console output for more information if needed

[chase-moskal]

i'm having the same problem in my project https://github.com/chase-moskal/xiome

[Rationum]

Encountering the exact same issue.
Enviroment:
Windows: 10
Node: 16.9.1
NPM: 7.24.2

[jeffreywdonahue]

Same issue, I ran the suggested force and I don't get better results. Do we need to manually add the updates for each package?

[tyukesz]

I have the same issue. I attach a screenshot, but there are lot more vuln packages than these 2, which cannot be "fixed".

[cpolanish]

I'm seeing the same thing on numerous packages as well
Win 11
Node 14.16.0
npm 7.6.3

[frudolph77]

Issue also exist in

$ node --version
v16.13.0
$ npm --version
8.1.0

[petera703]

Same issue here, getting worse and worse each time I run npm audit fix --force! :(

G:\>node --version v16.13.0 G:\>npm --version 8.1.4

Started with:

1 moderate severity vulnerability To address all issues, run: npm audit fix

But after running npm audit fix --force, it then said 27 vulnerabilities (16 moderate, 9 high, 2 critical)

And after running npm audit fix --force again, it said 53 vulnerabilities (12 low, 23 moderate, 16 high, 2 critical)

One time it said 66 vulnerabilities (54 moderate, 11 high, 1 critical), and after that I left it running in a loop (for /L %i in (1,1,50) do npm audit fix --force) which alternated between 27 and 53 vulnerabilities till I killed it.

I'm now attaching all output from the above, which shows the modules it was reporting.

_tmp.txt

[RienBijl]

Is there any hope of this issue being resolved?

[marte3707]

same problem here.

Npm 8.1.4
Node 17.1.0
WIndows 11