Skip to content

[BUG] npm audit fix does nothing #9557

Open
Open
[BUG] npm audit fix does nothing#9557
Labels
Bugthing that needs fixingNeeds Triageneeds review for next steps
@jendrikw

Description

@jendrikw
jendrikw
opened on Jun 16, 2026

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

This is not just a request to bump a dependency for a CVE

  • This is not solely a request to bump a dependency for a CVE

Current Behavior

The output of npm audit says "fix available via npm audit fix", but running that makes no difference.

Complete output:

# npm audit report

esbuild  0.17.0 - 0.28.0
Severity: high
esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY - https://github.com/advisories/GHSA-gv7w-rqvm-qjhr
esbuild allows arbitrary file read when running the development server on Windows - https://github.com/advisories/GHSA-g7r4-m6w7-qqqr
fix available via `npm audit fix --force`
Will install vite@8.0.16, which is a breaking change
node_modules/esbuild
  vite  4.2.0-beta.0 - 8.0.3
  Depends on vulnerable versions of esbuild
  node_modules/vite

js-yaml  <=4.1.1
Severity: moderate
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases - https://github.com/advisories/GHSA-h67p-54hq-rp68
fix available via `npm audit fix`
node_modules/@yarnpkg/parsers/node_modules/js-yaml
  @yarnpkg/parsers  *
  Depends on vulnerable versions of js-yaml
  node_modules/@yarnpkg/parsers
    lockfile-lint-api  >=5.2.5
    Depends on vulnerable versions of @yarnpkg/parsers
    node_modules/lockfile-lint-api

5 vulnerabilities (3 moderate, 2 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Expected Behavior

The docs for npm audit state:

If any vulnerabilities are found, then the impact and appropriate remediation will be calculated. If the fix argument is provided, then remediations will be applied to the package tree.

And the output of npm audit also states:

fix available via npm audit fix

So expect something npm audit fix to fix the things it says it would fix.

Steps To Reproduce

package.json

package-lock.json

Environment

  • npm: 11.16.0
  • Node.js: v22.22.2
  • OS Name: Debian forky/sid
  • System Model Name: N/A
  • npm config:
; "builtin" config from /usr/share/nodejs/npm/npmrc

prefix = "/usr/local"

; "global" config from /etc/npmrc

https-proxy = "http://XXXXX:8080/"
proxy = "http://XXXXX:8080/"

; "user" config from /home/XXXXX/.npmrc

//registry.npmjs.org/:_authToken = (protected)

; environment-related config

; no_proxy = "localhost,127.0.0.1,XXXXX"
; https_proxy = "http://XXXXX:8080"
; HTTP_PROXY = "http://XXXXX:8080"

; node bin location = /usr/bin/node
; node version = v22.22.2
; npm local prefix = /home/XXXXX
; npm version = 11.16.0
; cwd = /home/XXXXX
; HOME = /home/XXXXX
; Run `npm config ls -l` to show all defaults.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingNeeds Triageneeds review for next steps

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions