npm install followed by npm audit fix leads to inconsistent behavior (ran 3 times, 3 different behaviors)

TLDR: running npm install followed by npm audit fix is reporting random numbers of vulnerabilities and behavior. i have run the pair of commands 3 times to 3 completely different results. no idea what is going on here.

today i tried installing a new package in a project. previously this project had 0 vulnerabilities being reported. after installing the new one i got 12700 high vulnerabilities. thinking these were due to the new package i uninstalled it but was still receiving the warning.

i then deleted node_modules and ran a fresh install. this is when the weirdness began. on a fresh install of the same packages i have been using for the past month (0 vulnerabilities previously reported) i am receiving 12700 high vulns.

running audit fix says it fixed all of them. running npm install again to test they were fixed reports the same 12700 back again.

here is where it gets really strange - running npm audit fix now “updated a package” of mine, reported that 4800/8400 were fixed (despite having just claimed 12700 were present).

i have run this all anew and written the outputs to a log file to have some reproducible results…getting more inconsistent behavior

npm: 6.10.1
node: 10.15.4

log outputs:

$ npm i # fresh install after deleting node_modules

> fsevents@1.2.9 install /Users/.../node_modules/fsevents
> node install

[fsevents] Success: "/Users/.../node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64/fse.node" is installed via remote

> core-js@2.6.8 postinstall /Users/.../node_modules/@babel/polyfill/node_modules/core-js
> node -e "try { require('./scripts/postinstall'); } catch (e) { /* empty */ }"

e[96mThank you for using core-js (e[94m https://github.com/zloirock/core-js e[96m)!e[0m

e[96mPlease consider supporting of core-js on Open Collective or Patreon: e[0m
e[96m>e[94m https://opencollective.com/core-js e[0m
e[96m>e[94m https://www.patreon.com/zloirock e[0m

e[96mAlso, the author of core-js (e[94m https://github.com/zloirock e[96m) is looking for a good job -)e[0m


> core-js@2.6.9 postinstall /Users/.../node_modules/babel-runtime/node_modules/core-js
> node scripts/postinstall || echo "ignore"

e[96mThank you for using core-js (e[94m https://github.com/zloirock/core-js e[96m) for polyfilling JavaScript standard library!e[0m

e[96mThe project needs your help! Please consider supporting of core-js on Open Collective or Patreon: e[0m
e[96m>e[94m https://opencollective.com/core-js e[0m
e[96m>e[94m https://www.patreon.com/zloirock e[0m

e[96mAlso, the author of core-js (e[94m https://github.com/zloirock e[96m) is looking for a good job -)e[0m


> core-js@3.1.2 postinstall /Users/.../node_modules/core-js
> node -e "try { require('./scripts/postinstall'); } catch (e) { /* empty */ }"

e[96mThank you for using core-js (e[94m https://github.com/zloirock/core-js e[96m)!e[0m

e[96mPlease consider supporting of core-js on Open Collective or Patreon: e[0m
e[96m>e[94m https://opencollective.com/core-js e[0m
e[96m>e[94m https://www.patreon.com/zloirock e[0m

e[96mAlso, the author of core-js (e[94m https://github.com/zloirock e[96m) is looking for a good job -)e[0m


> protobufjs@6.8.8 postinstall /Users/.../node_modules/protobufjs
> node scripts/postinstall


> nodemon@1.19.1 postinstall /Users/.../node_modules/nodemon
> node bin/postinstall || exit 0

added 1106 packages from 772 contributors and audited 865602 packages in 21.404s
found 12723 high severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

$ npm audit fix # 1st audit fix

removed 2 packages and updated 3 packages in 14.8s
fixed 12723 of 12723 vulnerabilities in 865602 scanned packages

$ npm i # second install

audited 878325 packages in 9.381s
found 8482 high severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

$ npm audit fix # 2nd audit fix

+ knex@0.19.0
added 2 packages from 2 contributors, removed 5 packages and updated 6 packages in 8.408s
fixed 4810 of 8482 vulnerabilities in 878325 scanned packages
  3672 vulnerabilities required manual review and could not be updated

$ npm i # 3rd install

audited 878320 packages in 7.749s
found 8482 high severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

$ npm audit fix # 3rd audit fix

up to date in 3.886s
fixed 0 of 8482 vulnerabilities in 878320 scanned packages
  8482 vulnerabilities required manual review and could not be updated

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.