I think this is a pretty basic question but i've been stuck for a while:
I am trying to use npm audit fix
to clean up an old repo that has many security vulnerabilities. When I run, I see that I get the following output:
fixed 3534 of 3576 vulnerabilities in 1926 scanned packages
42 vulnerabilities required manual review and could not be updated
However, I see that nothing in package-lock.json was changed. So It doesn't appear that audit has actually done anything? When I run npm install
I can again see the following:
found 3576 vulnerabilities (3550 low, 10 moderate, 14 high, 2 critical)
run `npm audit fix` to fix them, or `npm audit` for details
Does this mean that the audit process was not able to resolve any of these issues? If so, how do I approach resolving these?
What causes it: This would seem to be a known bug in npm
for which no one has (yet) publicly worked out the cause, at least not that I can find. However you can see it reported in an issue in the current npm
issue tracker which links to an issue in the archived npm
issue tracker .
How to fix: When I encounter this behavior in npm
, I do this:
$ rm -rf node_modules package-lock.json shrinkwrap.json npm-shrinkwrap.json
$ npm install
However, I don't think that works all the time. But if you haven't done that, it's worth a shot. @Kshewengger 's suggestion to update npm
is a good thing to try too. They suggest npm install -g npm
and try that first, but if that doesn't work and if you don't mind an updated package-lock.json
file format and other changes, you can also try npm install -g npm@7
. As of this writing, npm install -g npm
will give you npm@6.14.9
and npm install -g npm@7
will give you npm@7.0.15
.
I think this is a pretty basic question but i've been stuck for a while:
I am trying to use npm audit fix
to clean up an old repo that has many security vulnerabilities. When I run, I see that I get the following output:
fixed 3534 of 3576 vulnerabilities in 1926 scanned packages
42 vulnerabilities required manual review and could not be updated
However, I see that nothing in package-lock.json was changed. So It doesn't appear that audit has actually done anything? When I run npm install
I can again see the following:
found 3576 vulnerabilities (3550 low, 10 moderate, 14 high, 2 critical)
run `npm audit fix` to fix them, or `npm audit` for details
Does this mean that the audit process was not able to resolve any of these issues? If so, how do I approach resolving these?
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.