-3

Executing the npm audit. It will be enough to show just last three issues - all of them has "fix available via `npm audit fix" message:

enter image description here

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/tar

tmp  <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
fix available via `npm audit fix`
node_modules/tmp

undici  <=5.28.5
Severity: high
undici before v5.8.0 vulnerable to CRLF injection in request headers - https://github.com/advisories/GHSA-3cvr-822r-rqcc
undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect - https://github.com/advisories/GHSA-q768-x9m6-m9qp
Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type - https://github.com/advisories/GHSA-f772-66g8-q5h3
`undici.request` vulnerable to SSRF using absolute URL on `pathname` - https://github.com/advisories/GHSA-8qr4-xgw6-wmr3
Regular Expression Denial of Service in Headers - https://github.com/advisories/GHSA-r6ch-mqf9-qc9w
CRLF Injection in Nodejs ‘undici’ via host - https://github.com/advisories/GHSA-5r9g-qh6m-jxff
Undici's cookie header not cleared on cross-origin redirect in fetch - https://github.com/advisories/GHSA-wqq4-5wpv-mx2g
Undici proxy-authorization header not cleared on cross-origin redirect in fetch - https://github.com/advisories/GHSA-3787-6prv-h9w3
Use of Insufficiently Random Values in undici - https://github.com/advisories/GHSA-c76h-2ccp-4975
undici Denial of Service attack via bad certificate data - https://github.com/advisories/GHSA-cxrh-j4jr-qwg3
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect - https://github.com/advisories/GHSA-9qxr-qj54-h672
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline - https://github.com/advisories/GHSA-m4v8-wqvr-p9f7
fix available via `npm audit fix`
node_modules/undici

10 vulnerabilities (1 low, 1 moderate, 8 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

All dependencies mentioned above are transitive ones, it means none of them has been directly installed thus none of them listed in package.json.

Executing npm audit fix. As you see the message is completely the same, and the number of vulnerabilities has not changed:

enter image description here

Why nothing has changed?

Versions:

  • Node.js: 22.15.0 (current Maintenance LTS)

  • npm: 10.9.0

Improve this question
7
  • 2
    please add a focused, answerable question to your post Commented Nov 22 at 5:04
  • Please don't post textual information in the form of pictures. Please see: Why should I not upload images of code/data/errors? If you still need an image, it can complement the textual information. Commented Nov 22 at 6:46
  • "Does npm audit fix do nothing?" - no. Commented Nov 22 at 8:05
  • @SergeyAKryukov I have appended the plain text version of console output. Not sure about the monotonous text is more readable than the image version. Commented Nov 22 at 8:48
  • It's better. Have you posted the text version of that window for only one output text? Please understand: your bit images are virtually invisible, we don't need them. Just provide the text, sandwich is in the Markdown fence lines, such as ~~~. It will make the text well-readable and enable clipboard Copy. Commented Nov 22 at 19:35

1 Answer 1

Reset to default
0

This probably means that the dependencies do have a fix (hence the fix available), but given dependencies tree in your project doesn't allow the automatic fix (for example, parent dependency doesn't have a version which uses dependency with available fix), which leads to the part here: Some issues need review, and may require choosing a different dependency, which probably also means you have some dependencies with No fix available.

So, you'll probably need to dig around with npm ls and replace dependencies.

The reporting audit fix loop is reported as an issue with npm that goes way back, and suggested workaround is to update vulnerable dependencies by hand.

[BUG] npm audit fix doesn't work #3472

and some recent:

[BUG] npm audit fix only reports and doesn't fix #7123

[BUG] npm 7.6.0 audit fix --force recommends running npm audit fix --force (the same command) to fix issues. #2798

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.