npm audit fix not changing anything
Question
I think this is a pretty basic question but i've been stuck for a while:
I am trying to use npm audit fix to clean up an old repo that has many security vulnerabilities. When I run, I see that I get the following output:
fixed 3534 of 3576 vulnerabilities in 1926 scanned packages
42 vulnerabilities required manual review and could not be updated
However, I see that nothing in package-lock.json was changed. So It doesn't appear that audit has actually done anything? When I run npm install I can again see the following:
found 3576 vulnerabilities (3550 low, 10 moderate, 14 high, 2 critical)
run `npm audit fix` to fix them, or `npm audit` for details
Does this mean that the audit process was not able to resolve any of these issues? If so, how do I approach resolving these?
1 answers
solution1
13 ACCPTED 2020-12-02 18:06:37
What causes it: This would seem to be a known bug in npm for which no one has (yet) publicly worked out the cause, at least not that I can find. However you can see it reported in an issue in the current npm issue tracker which links to an issue in the archived npm issue tracker .
How to fix: When I encounter this behavior in npm , I do this:
$ rm -rf node_modules package-lock.json shrinkwrap.json npm-shrinkwrap.json
$ npm install
However, I don't think that works all the time. But if you haven't done that, it's worth a shot. @Kshewengger 's suggestion to update npm is a good thing to try too. They suggest npm install -g npm and try that first, but if that doesn't work and if you don't mind an updated package-lock.json file format and other changes, you can also try npm install -g npm@7 . As of this writing, npm install -g npm will give you npm@6.14.9 and npm install -g npm@7 will give you npm@7.0.15 .
solution2
-1 2020-12-03 08:25:00
I think this is a pretty basic question but i've been stuck for a while:
I am trying to use npm audit fix to clean up an old repo that has many security vulnerabilities. When I run, I see that I get the following output:
fixed 3534 of 3576 vulnerabilities in 1926 scanned packages
42 vulnerabilities required manual review and could not be updated
However, I see that nothing in package-lock.json was changed. So It doesn't appear that audit has actually done anything? When I run npm install I can again see the following:
found 3576 vulnerabilities (3550 low, 10 moderate, 14 high, 2 critical)
run `npm audit fix` to fix them, or `npm audit` for details
Does this mean that the audit process was not able to resolve any of these issues? If so, how do I approach resolving these?
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.