Skip to content

[BUG] npm audit fix --force tries to download non-existing packages #5750

New issue
New issue
Closed
#5923
Closed
[BUG] npm audit fix --force tries to download non-existing packages#5750
#5923
Assignees
fritzy
Labels
Bugthing that needs fixingPriority 1high priority issueRelease 9.xwork is associated with a specific npm 9 release
@XC-

Description

@XC-
XC-
opened on Oct 26, 2022

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

npm audit fix --force attempts to update nodemon and got. New nodemon version should be 2.0.20, but npm audit also tries to fetch got version 2.0.20 which does not exist. Closest got version is 2.0.0, which is 8 years old, latest being 12.5.2.

npm audit --audit-level high:

fix available via `npm audit fix --force`
Will install nodemon@2.0.20, which is outside the stated dependency range
node_modules/got
node_modules/package-json/node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        nodemon  1.3.5 - 2.0.16 || 2.0.18
        Depends on vulnerable versions of update-notifier
        node_modules/nodemon

npm audit fix --force:

npm WARN audit Updating got to 2.0.20, which is outside your stated dependency range.
npm WARN audit Updating nodemon to 2.0.20, which is outside your stated dependency range.
npm ERR! code ETARGET
npm ERR! notarget No matching version found for got@2.0.20.
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.

Expected Behavior

nodemon version should not "leak" to got version download.

Steps To Reproduce

dependencies:

"devDependencies": {
    "@types/amqplib": "0.8.2",
    "@types/dotenv": "8.2.0",
    "@types/got": "9.6.12",
    "@types/jest": "27.0.0",
    "@types/node": "15.0.2",
    "@types/uuid": "8.3.4",
    "@types/winston": "2.4.4",
    "@typescript-eslint/eslint-plugin": "4.33.0",
    "@typescript-eslint/parser": "4.33.0",
    "amqplib": "0.8.0",
    "eslint": "7.32.0",
    "eslint-config-prettier": "7.2.0",
    "eslint-plugin-import": "2.25.4",
    "eslint-plugin-prettier": "3.4.1",
    "jest": "27.5.1",
    "nodemon": "2.0.15",
    "prettier": "2.5.1",
    "ts-jest": "27.1.3",
    "ts-node": "9.1.1",
    "typescript": "4.2.4"
  },
  "dependencies": {
    "dotenv": "9.0.1",
    "got": "11.8.3",
    "pdfjs-dist": "^2.8.335",
    "uuid": "8.3.2",
    "winston": "3.6.0"
  }

Some packages have been removed since I cannot share them. Same goes for package-lock.json.

Environment

  • npm: 9.0.0
  • Node.js: 16.14.0
  • OS Name: Manjaro LInux
  • System Model Name: Lenovo ThinkPad

The problem also occurs with npm version 8.19.2

Metadata

Metadata

Assignees

Labels

Bugthing that needs fixingPriority 1high priority issueRelease 9.xwork is associated with a specific npm 9 release

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions