Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What does "npm audit fix" exactly do?

npm audit fix is intended to automatically upgrade / fix vulnerabilities in npm packages. However, I haven't found out what it exactly does to fix those vulnerabilities.

I assumed that npm audit fix would upgrade dependencies and dependencies' dependencies to the latest versions that are allowed by the semver-definitions of the packages – effectively the same as rm package-lock.json; npm install. However npm audit fix still performs a lot of changes after lock file removal + reinstall.

What exactly does npm audit fix do? Does it for example install versions of dependencies newer than those allowed by the corresponding package.json (but still semver-compatible)?

like image 814
Sampo Avatar asked Apr 24 '20 20:04

Sampo


People also ask

Should I be running npm audit fix?

If no security vulnerabilities are found, this means that packages with known vulnerabilities were not found in your package dependency tree. Since the advisory database can be updated at any time, we recommend regularly running npm audit manually, or adding npm audit to your continuous integration process.

How does npm audit work?

The npm audit command submits a description of the dependencies configured in your package to your default registry and asks for a report of known vulnerabilities. npm audit checks direct dependencies, devDependencies, bundledDependencies, and optionalDependencies, but does not check peerDependencies.

Can I ignore npm audit?

You can skip auditing at all by adding the --no-audit flag.

Does NPM audit fix work with npm install?

Also note that since npm audit fix runs a full-fledged npm install under the hood, all configs that apply to the installer will also apply to npm install -- so things like npm audit fix --package-lock-only will work as expected. By default, the audit command will exit with a non-zero code if any vulnerability is found.

What does'NPM audit fix'exactly do?

package.json - What does "npm audit fix" exactly do? - Stack Overflow What does "npm audit fix" exactly do? Bookmark this question. Show activity on this post. npm audit fix is intended to automatically upgrade / fix vulnerabilities in npm packages. However, I haven't found out what it exactly does to fix those vulnerabilities.

How to have NPM automatically fix all vulnerabilities?

You can also have npm automatically fix the vulnerabilities by running npm audit fix. Note that some vulnerabilities cannot be fixed automatically and will require manual intervention or review.

What happens when NPM receives a response from the registry?

Once it receives a response from the registry, NPM begins the process of fixing those vulnerabilities. The response from NPM outlines the actions to be taken regarding vulnerabilities in your dependencies. The response body looks something like this:


2 Answers

From NPM's site on their audit command:

npm audit fix runs a full-fledged npm install under the hood

And it seems that an audit fix only does semver-compatible upgrades by default. Listed earlier in the document:

Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones:

$ npm audit fix --force

As for the lock file, it is regenerated each time you run a command that changes package.json. There is more information about that in an answer here as well as in the official documentation.

like image 83
Noah May Avatar answered Oct 14 '22 02:10

Noah May


In my understanding is not only "upgrading" but sometimes also downgrading in order to install the stable version that fix the issue, sometimes those issues comes in newer versions that maybe have introduced bugs or simply do not match with previous package's API etc.

E.g in my case for example npm install have upgrade react-script to 5.0.0 that has some issue and after have run:

npm audit fix --force

The force flag does : To address all issues (including breaking changes), run: npm audit fix --force

it installed the 3.0.1 with following message:

npm WARN audit Updating react-scripts to 3.0.1,which is a SemVer major change.

So it does the upgrade to the stable version of that package that fix the issue.

On top, though docs state "is running npm install under the hood" but not in the sense of installing newest version of a dependency, but could be useful also to check what happens with npm ci What is the difference between "npm install" and "npm ci"?

like image 26
Carmine Tambascia Avatar answered Oct 14 '22 02:10

Carmine Tambascia