Skip to content

[BUG] npm audit prints fix available via npm audit fix, but it doesn't fix anything #9718

Description

@hirehamir

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

This is not just a request to bump a dependency for a CVE

  • This is not solely a request to bump a dependency for a CVE

Current Behavior

npm audit prints fix available via npm audit fix, but running npm audit fix doesn't fix anything.

The CLI advertises a fix that doesn't work.

Expected Behavior

If the npm CLI says a fix is available via npm audit fix, running

npm audit fix

should automatically fix the issue, like it does in a lot of other cases.

Steps To Reproduce

  1. npm init -y
  2. npm i -D tsx@4.21.0
  3. npm audit "1 low severity vulnerability … fix available via npm audit fix"
  4. npm audit fix "up to date", vulnerability still listed

Environment

  • npm: 11.17.0
  • Node.js: v24.13.0
  • OS Name: Ubuntu 24.04.4 LTS
  • npm config:
; node bin location = /home/hamir/.nvm/versions/node/v24.13.0/bin/node
; node version = v24.13.0
; npm local prefix = /home/hamir/private
; npm version = 11.17.0
; cwd = /home/hamir/private
; HOME = /home/hamir
; Run `npm config ls -l` to show all defaults.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingNeeds Triageneeds review for next steps

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions