Skip to content

[BUG] npm audit fix installes incompatible peer dependencies #9724

Description

@jendrikw

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

This is not just a request to bump a dependency for a CVE

  • This is not solely a request to bump a dependency for a CVE

Current Behavior

I run npm audit fix, npm warns about "npm warn ERESOLVE overriding peer dependency"

Expected Behavior

Run the npm audit fix subcommand to automatically install compatible updates to vulnerable dependencies.

(Highlight by me)

https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities?ref=content-for-engineers-by-engineers-atomist-blog#security-vulnerabilities-found-with-suggested-updates

Steps To Reproduce

package.json

package-lock.json

Run npm audit fix

Environment

  • npm: 11.16.0
  • Node.js: v24.18.0
  • OS Name: Debian forky/sid
  • System Model Name: N/A
  • npm config:
; "builtin" config from /usr/share/nodejs/npm/npmrc

prefix = "/usr/local"

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingNeeds Triageneeds review for next steps

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions