npm audit fix does not provide enough information


(Brad Johnson) #1

When I run npm audit fix, it tells me that there is 1 package with a breaking change.

$ npm audit fix --dry-run
added 3 packages and updated 4 packages in 5.373s
fixed 3 of 26 vulnerabilities in 5456 scanned packages
  1 package update for 23 vulns involved breaking changes
  (use `npm audit fix --force` to install breaking changes; or do it by hand)

It suggests I should “do it by hand” but I’m not told which package would need updating.

If I generate a json report, it’s not clear that there are any breaking changes incoming

[10:41:19] bradiscool:client bjohnson$ npm audit fix --dry-run --json
{
  "added": [
    {
      "action": "add",
      "name": "ws",
      "version": "1.1.2",
      "path": "/Users/Vendasta/Projects/client/node_modules/engine.io-client/node_modules/ws"
    },
    {
      "action": "add",
      "name": "ws",
      "version": "1.1.2",
      "path": "/Users/Vendasta/Projects/client/node_modules/engine.io/node_modules/ws"
    },
    {
      "action": "add",
      "name": "safer-buffer",
      "version": "2.1.2",
      "path": "/Users/Vendasta/Projects/client/node_modules/safer-buffer"
    }
  ],
  "removed": [],
  "updated": [
    {
      "action": "update",
      "name": "bcrypt-pbkdf",
      "version": "1.0.2",
      "path": "/Users/Vendasta/Projects/client/node_modules/bcrypt-pbkdf",
      "previousVersion": "1.0.1"
    },
    {
      "action": "update",
      "name": "lodash",
      "version": "4.17.10",
      "path": "/Users/Vendasta/Projects/client/node_modules/lodash",
      "previousVersion": "4.17.4"
    },
    {
      "action": "update",
      "name": "sshpk",
      "version": "1.14.2",
      "path": "/Users/Vendasta/Projects/client/node_modules/sshpk",
      "previousVersion": "1.13.1"
    },
    {
      "action": "update",
      "name": "ws",
      "version": "1.1.5",
      "path": "/Users/Vendasta/Projects/client/node_modules/ws",
      "previousVersion": "1.1.2"
    }
  ],
  "moved": [],
  "failed": [],
  "warnings": [],
  "elapsed": 4655
}

Seems to only option I have is to run npm audit fix --force and comb over the results before I commit.
But, that criticizes me for my choices :stuck_out_tongue:

bradiscool:client bjohnson$ npm audit fix --force
npm WARN using --force I sure hope you know what you are doing.

It would be nice if npm audit fix would output the name of the package which needed a breaking update, and to which version it should be updated.

(The breaking change turned out to be karma ~1.7.0 => ^2.0.4 which is never mentioned)


(Kat Marchán) #2

I think just adding a little bit at the end that says "do it by hand by checking npm audit" would solve this pretty quick. No? Is that a thing you’d be interested in PRing?


(Brad Johnson) #3

I certainly could if someone doesn’t beat me to it :+1:


(Kat Marchán) #4

(Kat Marchán) #5

The PR has been merged. :slight_smile: