Skip to content

[BUG] npm audit makes unrelated minor/patch updates to packages that require a major update to fix #9344

Open
Open
[BUG] npm audit makes unrelated minor/patch updates to packages that require a major update to fix#9344
Labels
Bugthing that needs fixingPriority 2secondary priority issue
@36degrees

Description

@36degrees
36degrees
opened on May 12, 2026

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

Using @toolnate/once as an example, starting with 2.0.0 installed.

@toolnate/once has a vulnerability which is only fixed by updating to 3.0.1 (requiring the use of npm audit fix --force.

However running npm audit fix with no --force flag results in @toolnate/once being updated from 2.0.0 to 2.0.1, despite the fact this does not resolve the vulnerability.

Expected Behavior

I would expect npm audit fix only to make changes to installed packages where those changes resolve the vulnerabilities shown when running npm audit.

Steps To Reproduce

  1. Run npm install @tootallnate/once@2.0.0
  2. Run npm audit and note that the only vulnerability listed requires a major semver change and is shown as needing npm audit fix --force to resolve it
  3. Run npm audit fix --long and note the unexpected change @tootallnate/once 2.0.0 => 2.0.1
npm audit fix --dry-run --json output 
$ npm -v
11.14.1

npm audit fix --dry-run --json     
change @tootallnate/once 2.0.0 => 2.0.1
{
  "add": [],
  "added": 0,
  "audited": 2,
  "change": [
    {
      "from": {
        "name": "@tootallnate/once",
        "version": "2.0.0",
        "path": "/Users/oliver.byford/Code/npm-sandbox/node_modules/@tootallnate/once"
      },
      "to": {
        "name": "@tootallnate/once",
        "version": "2.0.1",
        "path": "/Users/oliver.byford/Code/npm-sandbox/node_modules/@tootallnate/once"
      }
    }
  ],
  "changed": 1,
  "funding": 0,
  "remove": [],
  "removed": 0,
  "audit": {
    "auditReportVersion": 2,
    "vulnerabilities": {
      "@tootallnate/once": {
        "name": "@tootallnate/once",
        "severity": "low",
        "isDirect": false,
        "via": [
          {
            "source": 1113977,
            "name": "@tootallnate/once",
            "dependency": "@tootallnate/once",
            "title": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping",
            "url": "https://github.com/advisories/GHSA-vpq2-c234-7xj6",
            "severity": "low",
            "cwe": [
              "CWE-705"
            ],
            "cvss": {
              "score": 3.3,
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
            },
            "range": "<3.0.1"
          }
        ],
        "effects": [],
        "range": "<3.0.1",
        "nodes": [
          ""
        ],
        "fixAvailable": {
          "name": "@tootallnate/once",
          "version": "3.0.1",
          "isSemVerMajor": true
        }
      }
    },
    "metadata": {
      "vulnerabilities": {
        "info": 0,
        "low": 1,
        "moderate": 0,
        "high": 0,
        "critical": 0,
        "total": 1
      },
      "dependencies": {
        "prod": 2,
        "dev": 0,
        "optional": 0,
        "peer": 0,
        "peerOptional": 0,
        "total": 1
      }
    }
  }
}

Environment

  • npm: 11.14.1
  • Node.js: v22.15.0
  • OS Name: macOS 26.4.1 (25E253)
  • System Model Name: MacBook Pro
  • npm config:
; node bin location = /Users/oliver.byford/.asdf/installs/nodejs/22.15.0/bin/node
; node version = v22.15.0
; npm local prefix = /Users/oliver.byford/Code/npm-sandbox
; npm version = 11.14.1
; cwd = /Users/oliver.byford/Code/npm-sandbox
; HOME = /Users/oliver.byford

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingPriority 2secondary priority issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions