npm audit fix not changing anything

Question

I think this is a pretty basic question but i've been stuck for a while:

I am trying to use npm audit fix to clean up an old repo that has many security vulnerabilities. When I run, I see that I get the following output:

fixed 3534 of 3576 vulnerabilities in 1926 scanned packages
  42 vulnerabilities required manual review and could not be updated

However, I see that nothing in package-lock.json was changed. So It doesn't appear that audit has actually done anything? When I run npm install I can again see the following:

found 3576 vulnerabilities (3550 low, 10 moderate, 14 high, 2 critical)
  run `npm audit fix` to fix them, or `npm audit` for details

Does this mean that the audit process was not able to resolve any of these issues? If so, how do I approach resolving these?

Answer 1

What causes it: This would seem to be a known bug in npm for which no one has (yet) publicly worked out the cause, at least not that I can find. However you can see it reported in an issue in the current npm issue tracker which links to an issue in the archived npm issue tracker.

How to fix: When I encounter this behavior in npm, I do this:

$ rm -rf node_modules package-lock.json shrinkwrap.json npm-shrinkwrap.json
$ npm install

However, I don't think that works all the time. But if you haven't done that, it's worth a shot. @Kshewengger's suggestion to update npm is a good thing to try too. They suggest npm install -g npm and try that first, but if that doesn't work and if you don't mind an updated package-lock.json file format and other changes, you can also try npm install -g npm@7. As of this writing, npm install -g npm will give you [email protected] and npm install -g npm@7 will give you [email protected].