What did a npm audit fix --force change and how do you fix it?

Question

I was trying to npm install apn --save and used npm audit fix --force. The 'Hope you know what you are doing' message made me realize that I dont know what I am doing. After that I originally was getting

node /home/ec2-user/myapp/bin/www: symbol lookup error: 
/home/ec2-user/myapp/node_modules/bcrypt/lib/binding/napi-v3/bcrypt_lib.node: undefined symbol: napi_add_finalizer

so I updated node to V14.16.0 but that didn't help so I decided to delete package-lock.json and node_modules and ran npm install after. This error would now come up,

PM2 error: Error: spawn node ENOENT
    at Process.ChildProcess._handle.onexit (internal/child_process.js:269:19)
    at onErrorNT (internal/child_process.js:465:16)
    at processTicksAndRejections (internal/process/task_queues.js:80:21)

and I realized that PM2 didnt use the new node version. I upgraded PM2 and now it shows that my app is online opposed to errored.
But I still get a 502 error if my node server was running(port 8080) when trying to run my website

[proxy_http:error] [pid 22860] (20014)Internal error 
(specific information not available): [client my IP address]
 AH01102: error reading status line from remote server 127.0.0.1:8080

and a 503 error if I stopped my node server.

[proxy:error] [pid 13022] (111)Connection refused:
 AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (127.0.0.1) failed

Has anyone else experienced this? Any and all help would be much appreciated. Also I believe node-forge was a dependent for apn and needed the npm audit fix -- force

Answer 1

npm audit is a utility that reads your package.json and checks the version of it's dependencies against a security vulnerability database. When something is found it gives you the severity of vulnerability and the option to fix it.

What the fixing does is upgrade the unsafe dependencies of your project. npm audit fix only modifies the dependencies that shouldn't cause problems based on SEMVER rules.

The --force is a dangerious option because it upgrades the dependencies regardless of any rules. This can cause a dependency to go from version 1.2.0 to version 2.3.0, for example. That means that functions that you use in your project may not exist anymore or have a different behaviour effectively breaking your application.

One option to fix this issue is going back on your versioning system (git, cvs, etc.) and recover the previous package.json and package-lock.json. Then you should delete node_module and any npm cache and run npm install.

More info on npm audit can be found here.