npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm audit fix claims to have fixed vulnerability, but it doesn't

What I Wanted to Do

Fix the following vulnerability by running npm audit fix:

  Critical        Arbitrary Code Execution                                      
                                                                                
  Package         eslint-utils                                                  
                                                                                
  Dependency of   @hapi/lab [dev]                                               
                                                                                
  Path            @hapi/lab > eslint > eslint-utils                             
                                                                                
  More info       https://npmjs.com/advisories/1118 

What Happened Instead

npm audit fix reported:

updated 1 package in 1.545s
fixed 1 of 1 vulnerability in 574 scanned packages

But running npm audit reveals that the vulnerability is still there.

Running npm update eslint-utils --depth 3 actually fixed the vulnerability.

Reproduction Steps

  1. Run npm audit and see:
# Run  npm update eslint-utils --depth 3  to resolve 1 vulnerability
                                                                                
  Critical        Arbitrary Code Execution                                      
                                                                                
  Package         eslint-utils                                                  
                                                                                
  Dependency of   @hapi/lab [dev]                                               
                                                                                
  Path            @hapi/lab > eslint > eslint-utils                             
                                                                                
  More info       https://npmjs.com/advisories/1118                            
                                                                                


found 1 critical severity vulnerability in 574 scanned packages
  run `npm audit fix` to fix 1 of them.
  1. Run ‘npm audit fix’ and see:
updated 1 package in 1.461s
fixed 1 of 1 vulnerability in 574 scanned packages
  1. Run ‘npm audit’ and see:
# Run  npm update eslint-utils --depth 3  to resolve 1 vulnerability
                                                                                
  Critical        Arbitrary Code Execution                                      
                                                                                
  Package         eslint-utils                                                  
                                                                                
  Dependency of   @hapi/lab [dev]                                               
                                                                                
  Path            @hapi/lab > eslint > eslint-utils                             
                                                                                
  More info       https://npmjs.com/advisories/1118                           
                                                                                


found 1 critical severity vulnerability in 574 scanned packages
  run `npm audit fix` to fix 1 of them.

Details

Dependency versions:
@hapi/lab: 19.1.0
eslint: 4.19.1

Platform Info

$ npm --versions
{ 'pds-lc3-test-data-suite': '1.0.0',
  npm: '6.11.3',
  ares: '1.15.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.15.1',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '6.8.275.32-node.12',
  zlib: '1.2.11' }
$ node -p process.platform
win32


I’m seeing the same issue:

Running the cmd it suggests doesn’t fix the vulns either.