[BUG] npm audit fix --force alternates between downgrading and upgrading packages

[dnicolson]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Running npm audit fix --force results in the react-scripts version being changed from 5.0.1 to 2.1.3. Running the command again will alternate between version 2.1.3 and 5.0.1.

#3472 is possibly related but the original description appears to be different.

Expected Behavior

The audit command to apply patches to a dependency, and not downgrade and then alternate versions.

Steps To Reproduce

1. Run mkdir npm-test && cd npm-test
2. Run npm i [email protected]
3. Run npm audit fix --force
4. Run npm ls react-scripts
[email protected]
5. Run npm audit fix --force
6. Run npm ls react-scripts
[email protected]

Environment

• npm: 8.12.2
• Node.js: 16.13.1
• OS Name: macOS 12.4
• System Model Name: MacBook Pro
• npm config:

; node bin location = /Users/dave/.asdf/installs/nodejs/16.13.1/bin/node
; node version = v16.13.1
; npm local prefix = /Users/dave/Desktop/npm-test
; npm version = 8.12.2
; cwd = /Users/dave/Desktop/npm-test
; HOME = /Users/dave
; Run `npm config ls -l` to show all defaults.

[tomerb]

I'm seeing the same issue.

• Fedora 36
• npm 8.2.0
• node.js 16.14.0

[tomerb]

It looks like this is what causing the issue (note the Will install [email protected], which is a breaking change):

# npm audit report



nth-check  <2.0.1

Severity: high

Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr

fix available via `npm audit fix --force`

Will install [email protected], which is a breaking change

node_modules/svgo/node_modules/nth-check

  css-select  <=3.1.0

  Depends on vulnerable versions of nth-check

  node_modules/svgo/node_modules/css-select

    svgo  1.0.0 - 1.3.2

    Depends on vulnerable versions of css-select

    node_modules/svgo

      @svgr/plugin-svgo  <=5.5.0

      Depends on vulnerable versions of svgo

      node_modules/@svgr/plugin-svgo

        @svgr/webpack  4.0.0 - 5.5.0

        Depends on vulnerable versions of @svgr/plugin-svgo

        node_modules/@svgr/webpack

          react-scripts  >=2.1.4

          Depends on vulnerable versions of @svgr/webpack

          node_modules/react-scripts

So it looks like react-scripts v5.0.1 has a dependency on @svgr/webpack": "^5.5.0, which needs an update, which is tracked here: facebook/create-react-app#12132

[tomerb]

Following up on the issue I mentioned before, it looks like the fix/workaround for this issue is to move react-scripts to the devDependencies section, the run npm audit --production.
See more info here: facebook/create-react-app#11174

[dnicolson]

@tomerb thanks for your workaround but I think the underlying issue needs to be ultimately fixed.

It doesn't seem like it should be possible via npm audit fix --force to downgrade a main dependency to a three-year-old version with actual real vulnerabilities or how versions can be seemingly infinitely upgraded/downgraded with identical commands.

[fritzy]

Related #2798

[fritzy]

This is essentially a dupe of #2798, but with very clear reproduction instructions. I'll close this one here, but we'll use your report when working on the previous issue.