[BUG] npm audit fix --force installs a vulnerable version of puppeteer

[TiAlRo]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

The command npm audit fix --force installs [email protected], which depends on a vulnerable version of ws, namely 8.9.0.

Expected Behavior

The command npm audit fix --force should show there is no version of puppeteer without vulnerability.

Steps To Reproduce

1. Run npm i puppeteer
2. Run npm audit fix --force

Environment

• npm: 10.8.1
• Node.js: v21.2.0
• OS Name: Windows 10.0.19045
• System Model Name: Precision Tower 3620

[TiAlRo]

This problem existed when there was no [email protected] published yet. Now I don't know how to reproduce it anymore.

[milaninfy]

@TiAlRo I am not able to reproduce this issue. Without proper reproduction steps it's not feasible to identify the cause of the issue if there are any.

[milaninfy]

Closing due to age. If this is still a problem please feel free to reopen this issue, or create a new issue w/ steps to reproduce.

[TiAlRo]

I can reproduce the behaviour:

1. Run npm i npm-audit-vulnerability-bug2
2. Run npm audit fix --force

The command installs [email protected], which is vulnerable.

The bug #6079 describes the same behaviour.

[TiAlRo]

@milaninfy, can you reopen this bug? Thx.

[milaninfy]

It does update to 0.0.1 but it also shows that this version is also vulnerable due to it's dependencies. if you run fix one more time it updates it to 0.0.0 which I believe is not vulnerable.

~/workarea/rep $ npm i npm-audit-vulnerability-bug2

added 8 packages, and audited 9 packages in 1s

1 package is looking for funding
  run `npm fund` for details

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
~/workarea/rep $ npm audit fix --force
npm warn using --force Recommended protections disabled.
npm warn audit Updating npm-audit-vulnerability-bug2 to 0.0.1, which is a SemVer major change.

changed 1 package, and audited 9 packages in 753ms

1 package is looking for funding
  run `npm fund` for details

# npm audit report

micromatch  *
Severity: moderate
Regular Expression Denial of Service (ReDoS) in micromatch - https://github.com/advisories/GHSA-952p-6rrq-rcjv
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/micromatch
  npm-audit-vulnerability-bug  *
  Depends on vulnerable versions of micromatch
  node_modules/npm-audit-vulnerability-bug
    npm-audit-vulnerability-bug2  >=0.0.1
    Depends on vulnerable versions of npm-audit-vulnerability-bug
    node_modules/npm-audit-vulnerability-bug2

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
~/workarea/rep $ npm ls
[email protected] /Users/milaninfy/workarea/rep
└── [email protected]

~/workarea/rep $ npm audit fix --force
npm warn using --force Recommended protections disabled.
npm warn audit Updating npm-audit-vulnerability-bug2 to 0.0.0, which is a SemVer major change.

removed 7 packages, changed 1 package, and audited 2 packages in 684ms

found 0 vulnerabilities
~/workarea/rep $ npm audit            
found 0 vulnerabilities

[TiAlRo]

When I run fix, I expect to have no vulnerability anymore instead of having to run it another time.

[TiAlRo]

I published now the package [email protected] and unpublished the version 0.0.0. After installing the version 0.0.3, the command npm audit fix --force installs the version 0.0.1. Running the command npm audit fix --force again, the version 0.0.3 is reinstalled, which leads to a cycle.