v0.14.151 'socket fix' behavior question

[samschurter]

Socket.dev CLI ver 0.14.151:b67c138:f57bde1d:pub
Node: v22.14.0, API token set: BA9wW
Command: socket fix, cwd: ~/Development/app-name/functions/esriHealthCheck

I have a package.json with a vulnerability in esbuild reported by npm audit

❯ npm audit
# npm audit report

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix`
node_modules/esbuild
  vite  0.11.0 - 6.1.5
  Depends on vulnerable versions of esbuild
  node_modules/vite


2 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix

If I run npm audit fix it fixes the immediate issue in Vite, although it does apparently make the situation worse rather than better:

❯ npm audit fix

changed 1 package, and audited 468 packages in 2s

87 packages are looking for funding
  run `npm fund` for details

# npm audit report

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install vitest@3.1.2, which is a breaking change
node_modules/esbuild
  vite  0.11.0 - 6.1.5
  Depends on vulnerable versions of esbuild
  node_modules/vite
    @vitest/mocker  <=3.0.0-beta.4
    Depends on vulnerable versions of vite
    node_modules/@vitest/mocker
      vitest  0.0.1 - 0.0.12 || 0.0.29 - 0.0.122 || 0.3.3 - 3.0.0-beta.4
      Depends on vulnerable versions of @vitest/mocker
      Depends on vulnerable versions of vite
      Depends on vulnerable versions of vite-node
      node_modules/vitest
    vite-node  <=2.2.0-beta.2
    Depends on vulnerable versions of vite
    node_modules/vite-node

5 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

If I revert the changes to package-lock.json and instead use socket fix, it finds no fixable vulnerabilities:

❯ socket fix
   _____         _       _        /---------------
  |   __|___ ___| |_ ___| |_      | Socket.dev CLI ver 0.14.151:b67c138:f57bde1d:pub
  |__   | . |  _| '_| -_|  _|     | Node: v22.14.0, API token set: BA9wW
  |_____|___|___|_,_|___|_|.dev   | Command: `socket fix`, cwd: ~/Development/Beyond-Maps/functions/esriHealthCheck

ℹ Fixing packages for npm
ℹ No fixable vulnerabilities found.

Is that the intended behavior? I understand that ultimately the issue is not completely fixable without bumping a major version, but I would have expected the socket fix output to acknowledge that the vulnerability existed and could not be fixed.
package-lock.json
package.json

[samschurter]

package-lock.json
package.json

A second example that includes what seems to be an fixable vulnerability:

❯ npm audit
# npm audit report

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix`
node_modules/esbuild
  vite  0.11.0 - 6.1.5
  Depends on vulnerable versions of esbuild
  node_modules/vite

tar-fs  2.0.0 - 2.1.1
Severity: high
tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File - https://github.com/advisories/GHSA-pq67-2wwv-3xjx
fix available via `npm audit fix`
node_modules/tar-fs


3 vulnerabilities (2 moderate, 1 high)

To address all issues, run:
  npm audit fix

After npm audit fix (notice the tar-fs high severity vuln is fully resolved)

❯ npm audit fix
npm warn EBADENGINE Unsupported engine {
npm warn EBADENGINE   package: 'cloudevents@7.0.2',
npm warn EBADENGINE   required: { node: '>=16 <=20' },
npm warn EBADENGINE   current: { node: 'v22.14.0', npm: '10.9.2' }
npm warn EBADENGINE }

up to date, audited 724 packages in 3s

126 packages are looking for funding
  run `npm fund` for details

# npm audit report

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install vite@6.3.3, which is a breaking change
node_modules/esbuild
  vite  0.11.0 - 6.1.5
  Depends on vulnerable versions of esbuild
  node_modules/vite
    vite-node  <=2.2.0-beta.2
    Depends on vulnerable versions of vite
    node_modules/vite-node
      vitest  0.0.1 - 0.0.12 || 0.0.29 - 0.0.122 || 0.3.3 - 2.2.0-beta.2
      Depends on vulnerable versions of vite
      Depends on vulnerable versions of vite-node
      node_modules/vitest

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Reverting and running socket fix instead:

❯ socket fix
   _____         _       _        /---------------
  |   __|___ ___| |_ ___| |_      | Socket.dev CLI ver 0.14.151:b67c138:f57bde1d:pub
  |__   | . |  _| '_| -_|  _|     | Node: v22.14.0, API token set: BA9wW
  |_____|___|___|_,_|___|_|.dev   | Command: `socket fix`, cwd: ~/Development/Beyond-Maps/functions/retrieveFirebaseUsers

ℹ Fixing packages for npm
ℹ No fixable vulnerabilities found.

Still finds no fixable vulnerabilities.