bug: npm audit fix doesn't seem to change anything

[Ericlm]

Prerequisites

• I have read the Contributing Guidelines.
• I agree to follow the Code of Conduct.
• I have searched for existing issues that already report this problem, without success.

Ionic Framework Version

v7.x

Current Behavior

In my current ionic project, made with Vue and Vite, when making an audit with npm audit, I got a vulnerability like so:

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/simple-update-notifier/node_modules/semver
  simple-update-notifier  1.0.7 - 1.1.0
  Depends on vulnerable versions of semver
  node_modules/simple-update-notifier
    nodemon  2.0.19 - 2.0.22
    Depends on vulnerable versions of simple-update-notifier
    node_modules/nodemon

3 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix

I tried many times to run npm audit fix but it doesn't seem to do anything particular. I also went to the repos and found out that the packages had, apparently, fixed the issue. I don't know what I can do to investigate further, but I would be glad if this "error" could go away :)

Expected Behavior

I expected that npm audit fixactually fix the issue.

Steps to Reproduce

Sadly I couldn't reproduce the issue on a fresh new project. The project is made with ionic for Vue and Vite, and has more deps than the basics one.

If needed, I could investigate further by removing deps :)

Code Reproduction URL

No response

Ionic Info

Ionic:

   Ionic CLI       : 7.1.1 (/Users/ericlemaitre/.asdf/installs/nodejs/20.7.0/lib/node_modules/@ionic/cli)
   Ionic Framework : @ionic/vue 7.4.1

Capacitor:

   Capacitor CLI      : 5.4.0
   @capacitor/android : 5.4.0
   @capacitor/core    : 5.4.0
   @capacitor/ios     : 5.4.0

Utility:

   cordova-res : not installed globally
   native-run  : 1.7.3

System:

   NodeJS : v20.7.0 (/Users/ericlemaitre/.asdf/installs/nodejs/20.7.0/bin/node)
   npm    : 10.1.0
   OS     : macOS Unknown

Additional Information

remy/nodemon#2121 (comment)
alexbrazier/simple-update-notifier#20

[liamdebeasi]

Hey there,

We don't manage npm audit fix, so it might be best to file this feedback on https://github.com/npm/cli. I wasn't able to reproduce this in an Ionic Vue starter app either, so it sounds like your project may have an outdated dependency (or you have a "dependency of a dependency" issue. This blog goes into some of the issues with npm audit right now).

I'm going to close this, but let me know if you have any other questions.

[Ericlm]

Just for note : it is due (indirectly) to capacitor assets, via npm-watch. See the issue M-Zuber/npm-watch#94.

[ionitron-bot]

Thanks for the issue! This issue is being locked to prevent comments that are not relevant to the original issue. If this is still an issue with the latest version of Ionic, please create a new issue and ensure the template is fully filled out.