`npm audit fix` seems to need to be run multiple times

cli
triaged

(Morgan VanYperen) #1

What I Wanted to Do

run npm audit fix once and fix all vulnerabilities that it can automagically fix.

What Happened Instead

it said it fixed all of the vulnerabilities. but then I ran npm audit again, and it immediately found new vulnerabilities and suggested I run npm audit fix again. I did so, and it fixed all of those too. Then I ran npm audit one more time, and finally it said it found 0 vulnerabilities. it seems odd and counter-intuitive that it can finish fixing everything it finds, but apparently what I’m left with is something that it can find more vulnerabilities in and fix if I ask it again.

Reproduction Steps

I ran those commands and had those results in this repository. same thing happens whether you npm install or not, so I’ll just include the bare minimum steps to get a full view of it going from containing vulnerabilities to not:

npm audit
npm audit fix
npm audit
npm audit fix
npm audit

Platform Info

$ npm --versions
{ 'opendota-web': '1.0.1',
  npm: '6.2.0',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  napi: '3',
  nghttp2: '1.32.0',
  node: '8.11.3',
  openssl: '1.0.2o',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.54',
  zlib: '1.2.11' }
$ node -p process.platform
darwin

(Kat Marchán) #2

I consider this a feature request, but can be managed. It needs a bit of refactor before it can be done, but I think it would be ok to run npm audit fix 2-3 times automatically in a chain until vulns reach 0. It can’t be done in one fell swoop because installing new packages changes the tree and transitive dependencies, and that can bring in new vulns. Definitely a thing I’d take a patch for!!


(Morgan VanYperen) #3

Thank you for your responses and the advice you gave me on Twitter. I’ve been busy, but I should be able to get to it and submit something fairly soon!