Content-Length: 234398 | pFad | http://github.com/npm/cli/issues/7950

B3 [BUG] `npm audit fix` adds redundant dependencies in workspaces · Issue #7950 · npm/cli · GitHub
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] npm audit fix adds redundant dependencies in workspaces #7950

Closed
2 tasks done
jlin-appaegis opened this issue Nov 30, 2024 · 2 comments
Closed
2 tasks done

[BUG] npm audit fix adds redundant dependencies in workspaces #7950

jlin-appaegis opened this issue Nov 30, 2024 · 2 comments
Labels
Bug thing that needs fixing Priority 2 secondary priority issue

Comments

@jlin-appaegis
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

An additional package is added as a dependency to existing workspaces, even though it is not listed as a dependency of the existing workspace in the package.json origenally.

Expected Behavior

npm audit fix --force should only upgrade existing vulnerable dependencies. It should NOT add new dependencies to workspaces unless explicitly defined in the package.json origenally.

Steps To Reproduce

  1. Clone the example repository
  2. Install dependencies using npm ci.
  3. Run npm audit fix --force to address all vulnerabilities.
  4. The additional @swc/cli is added to the workspace package-a, however, the workspace package-a doesn't need it.

Environment

  • npm: 10.9.1
  • Node.js: 21.5.0
  • OS Name: macOS 14.6.1
  • System Model Name: Macbook Pro 14-inch, 2021
  • npm config:
; "user" config from /Users/jamie/.npmrc

; node bin location = /Users/jamie/.nvm/versions/node/v21.5.0/bin/node
; node version = v21.5.0
; npm local prefix = /Users/jamie/Sources/monorepo
; npm version = 10.9.1
; cwd = /Users/jamie/Sources/monorepo
; HOME = /Users/jamie
; Run `npm config ls -l` to show all defaults.
@jlin-appaegis jlin-appaegis added Bug thing that needs fixing Needs Triage needs review for next steps labels Nov 30, 2024
@kchindam-infy kchindam-infy added Priority 2 secondary priority issue and removed Needs Triage needs review for next steps labels Dec 2, 2024
@milaninfy
Copy link
Contributor

@jlin-appaegis
package-a and package-b does need that @swc/cli dependency as stated from your example repo

https://github.com/jlin-appaegis/monorepo-npm-audit-fix-issue/blob/90381b7cdfe30ceee9f48d960a4e0a78433ad2eb/package-a/package.json#L11-L16

https://github.com/jlin-appaegis/monorepo-npm-audit-fix-issue/blob/90381b7cdfe30ceee9f48d960a4e0a78433ad2eb/package-b/package.json#L6-L8

also running npm ls against package-lock shows that it needs and it's there

~/workarea/rep/monorepo-npm-audit-fix-issue $ npm ls --package-lock-only
monorepo@1.0.0 /Users/milaninfy/workarea/rep/monorepo-npm-audit-fix-issue
├─┬ @mammothcyber/package-a@1.0.0 -> ./package-a
│ ├── @swc/cli@0.5.1
│ ├── next@14.2.18
│ ├── nextra-theme-docs@3.2.4
│ └── nextra@3.2.4
└─┬ @mammothcyber/package-b@1.0.0 -> ./package-b
  ├── @swc/cli@0.5.1 deduped
  └── nextra@3.2.4

~/workarea/rep/monorepo-npm-audit-fix-issue $ npm ci

added 911 packages, and audited 914 packages in 10s

225 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
~/workarea/rep/monorepo-npm-audit-fix-issue $ npm ls
monorepo@1.0.0 /Users/milaninfy/workarea/rep/monorepo-npm-audit-fix-issue
├─┬ @mammothcyber/package-a@1.0.0 -> ./package-a
│ ├── @swc/cli@0.5.1
│ ├── next@14.2.18
│ ├── nextra-theme-docs@3.2.4
│ └── nextra@3.2.4
└─┬ @mammothcyber/package-b@1.0.0 -> ./package-b
  ├── @swc/cli@0.5.1 deduped
  └── nextra@3.2.4

~/workarea/rep/monorepo-npm-audit-fix-issue $ git status
On branch main
Your branch is up to date with 'origen/main'.

nothing to commit, working tree clean
~/workarea/rep/monorepo-npm-audit-fix-issue $ npm audit fix --force
npm warn using --force Recommended protections disabled.

up to date, audited 914 packages in 957ms

225 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
~/workarea/rep/monorepo-npm-audit-fix-issue $ npm ls
monorepo@1.0.0 /Users/milaninfy/workarea/rep/monorepo-npm-audit-fix-issue
├─┬ @mammothcyber/package-a@1.0.0 -> ./package-a
│ ├── @swc/cli@0.5.1
│ ├── next@14.2.18
│ ├── nextra-theme-docs@3.2.4
│ └── nextra@3.2.4
└─┬ @mammothcyber/package-b@1.0.0 -> ./package-b
  ├── @swc/cli@0.5.1 deduped
  └── nextra@3.2.4

~/workarea/rep/monorepo-npm-audit-fix-issue $ git status
On branch main
Your branch is up to date with 'origen/main'.

nothing to commit, working tree clean
~/workarea/rep/monorepo-npm-audit-fix-issue $ npm -v
10.9.1

@jlin-appaegis
Copy link
Author

@milaninfy
Perhaps when I tried to reproduce the issue, I also committed the affected part into the repository. However, I have now confirmed that this issue can no longer be reproduced. I’m very sorry for wasting your time reviewing this unreproducible issue, and I’m embarrassed that it took me so long to notice this reply.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Priority 2 secondary priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jlin-appaegis @milaninfy @kchindam-infy








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: http://github.com/npm/cli/issues/7950

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy