-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] npm audit fix --force installs a vulnerable version of puppeteer #7599
Comments
This problem existed when there was no |
@TiAlRo I am not able to reproduce this issue. Without proper reproduction steps it's not feasible to identify the cause of the issue if there are any. |
Closing due to age. If this is still a problem please feel free to reopen this issue, or create a new issue w/ steps to reproduce. |
I can reproduce the behaviour:
The command installs The bug #6079 describes the same behaviour. |
@milaninfy, can you reopen this bug? Thx. |
It does update to 0.0.1 but it also shows that this version is also vulnerable due to it's dependencies. if you run fix one more time it updates it to 0.0.0 which I believe is not vulnerable. ~/workarea/rep $ npm i npm-audit-vulnerability-bug2
added 8 packages, and audited 9 packages in 1s
1 package is looking for funding
run `npm fund` for details
3 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
~/workarea/rep $ npm audit fix --force
npm warn using --force Recommended protections disabled.
npm warn audit Updating npm-audit-vulnerability-bug2 to 0.0.1, which is a SemVer major change.
changed 1 package, and audited 9 packages in 753ms
1 package is looking for funding
run `npm fund` for details
# npm audit report
micromatch *
Severity: moderate
Regular Expression Denial of Service (ReDoS) in micromatch - https://github.com/advisories/GHSA-952p-6rrq-rcjv
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/micromatch
npm-audit-vulnerability-bug *
Depends on vulnerable versions of micromatch
node_modules/npm-audit-vulnerability-bug
npm-audit-vulnerability-bug2 >=0.0.1
Depends on vulnerable versions of npm-audit-vulnerability-bug
node_modules/npm-audit-vulnerability-bug2
3 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
~/workarea/rep $ npm ls
[email protected] /Users/milaninfy/workarea/rep
└── [email protected]
~/workarea/rep $ npm audit fix --force
npm warn using --force Recommended protections disabled.
npm warn audit Updating npm-audit-vulnerability-bug2 to 0.0.0, which is a SemVer major change.
removed 7 packages, changed 1 package, and audited 2 packages in 684ms
found 0 vulnerabilities
~/workarea/rep $ npm audit
found 0 vulnerabilities |
When I run |
I published now the package |
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
The command
npm audit fix --force
installs[email protected]
, which depends on a vulnerable version ofws
, namely8.9.0
.Expected Behavior
The command
npm audit fix --force
should show there is no version ofpuppeteer
without vulnerability.Steps To Reproduce
npm i puppeteer
npm audit fix --force
Environment
The text was updated successfully, but these errors were encountered: