Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
npm audit prints fix available via npm audit fix, but running npm audit fix doesn't fix anything.
The CLI advertises a fix that doesn't work.
Expected Behavior
If the npm CLI says a fix is available via npm audit fix, running
should automatically fix the issue, like it does in a lot of other cases.
Steps To Reproduce
- npm init -y
- npm i -D tsx@4.21.0
- npm audit "1 low severity vulnerability … fix available via npm audit fix"
- npm audit fix "up to date", vulnerability still listed
Environment
- npm: 11.17.0
- Node.js: v24.13.0
- OS Name: Ubuntu 24.04.4 LTS
- npm config:
; node bin location = /home/hamir/.nvm/versions/node/v24.13.0/bin/node
; node version = v24.13.0
; npm local prefix = /home/hamir/private
; npm version = 11.17.0
; cwd = /home/hamir/private
; HOME = /home/hamir
; Run `npm config ls -l` to show all defaults.
Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
npm auditprintsfix available via npm audit fix, but runningnpm audit fixdoesn't fix anything.The CLI advertises a fix that doesn't work.
Expected Behavior
If the npm CLI says a fix is available via
npm audit fix, runningshould automatically fix the issue, like it does in a lot of other cases.
Steps To Reproduce
Environment