npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm 6.12.1 has high severity vulnerability


When installing npm@6.12.1 (latest), npm audit flags the “https-proxy-agent” package as a high severity vulnerability.

Even though the “make-fetch-happen” package has fixed its versioning, the fix hasn’t yet made its way to an npm release.

When can we expect an npm release with this vulnerability resolved?


What I Wanted to Do

I wanted to install the “npm” package and not have any dependencies flagged.

What Happened Instead

npm audit flagged 21 high severity vulnerabilities, all of which were the same package.

Reproduction Steps

  1. mkdir repro && cd repro
  2. npm init
  3. npm install --save-dev npm@latest

EDIT: updated to reflect the vulnerability still being in 6.12.1