Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

[BUG] npm audit fix adds redundant dependencies in workspaces #7950

Open
2 tasks done
jlin-appaegis opened this issue Nov 30, 2024 · 1 comment
Open
2 tasks done

[BUG] npm audit fix adds redundant dependencies in workspaces #7950

jlin-appaegis opened this issue Nov 30, 2024 · 1 comment
Labels
Bug thing that needs fixing Priority 2 secondary priority issue

Comments

@jlin-appaegis
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

An additional package is added as a dependency to existing workspaces, even though it is not listed as a dependency of the existing workspace in the package.json originally.

Expected Behavior

npm audit fix --force should only upgrade existing vulnerable dependencies. It should NOT add new dependencies to workspaces unless explicitly defined in the package.json originally.

Steps To Reproduce

  1. Clone the example repository
  2. Install dependencies using npm ci.
  3. Run npm audit fix --force to address all vulnerabilities.
  4. The additional @swc/cli is added to the workspace package-a, however, the workspace package-a doesn't need it.

Environment

  • npm: 10.9.1
  • Node.js: 21.5.0
  • OS Name: macOS 14.6.1
  • System Model Name: Macbook Pro 14-inch, 2021
  • npm config:
; "user" config from /Users/jamie/.npmrc

; node bin location = /Users/jamie/.nvm/versions/node/v21.5.0/bin/node
; node version = v21.5.0
; npm local prefix = /Users/jamie/Sources/monorepo
; npm version = 10.9.1
; cwd = /Users/jamie/Sources/monorepo
; HOME = /Users/jamie
; Run `npm config ls -l` to show all defaults.
@jlin-appaegis jlin-appaegis added Bug thing that needs fixing Needs Triage needs review for next steps labels Nov 30, 2024
@kchindam-infy kchindam-infy added Priority 2 secondary priority issue and removed Needs Triage needs review for next steps labels Dec 2, 2024
@milaninfy
Copy link
Contributor

@jlin-appaegis
package-a and package-b does need that @swc/cli dependency as stated from your example repo

https://github.com/jlin-appaegis/monorepo-npm-audit-fix-issue/blob/90381b7cdfe30ceee9f48d960a4e0a78433ad2eb/package-a/package.json#L11-L16

https://github.com/jlin-appaegis/monorepo-npm-audit-fix-issue/blob/90381b7cdfe30ceee9f48d960a4e0a78433ad2eb/package-b/package.json#L6-L8

also running npm ls against package-lock shows that it needs and it's there

~/workarea/rep/monorepo-npm-audit-fix-issue $ npm ls --package-lock-only
monorepo@1.0.0 /Users/milaninfy/workarea/rep/monorepo-npm-audit-fix-issue
├─┬ @mammothcyber/package-a@1.0.0 -> ./package-a
│ ├── @swc/cli@0.5.1
│ ├── next@14.2.18
│ ├── nextra-theme-docs@3.2.4
│ └── nextra@3.2.4
└─┬ @mammothcyber/package-b@1.0.0 -> ./package-b
  ├── @swc/cli@0.5.1 deduped
  └── nextra@3.2.4

~/workarea/rep/monorepo-npm-audit-fix-issue $ npm ci

added 911 packages, and audited 914 packages in 10s

225 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
~/workarea/rep/monorepo-npm-audit-fix-issue $ npm ls
monorepo@1.0.0 /Users/milaninfy/workarea/rep/monorepo-npm-audit-fix-issue
├─┬ @mammothcyber/package-a@1.0.0 -> ./package-a
│ ├── @swc/cli@0.5.1
│ ├── next@14.2.18
│ ├── nextra-theme-docs@3.2.4
│ └── nextra@3.2.4
└─┬ @mammothcyber/package-b@1.0.0 -> ./package-b
  ├── @swc/cli@0.5.1 deduped
  └── nextra@3.2.4

~/workarea/rep/monorepo-npm-audit-fix-issue $ git status
On branch main
Your branch is up to date with 'origin/main'.

nothing to commit, working tree clean
~/workarea/rep/monorepo-npm-audit-fix-issue $ npm audit fix --force
npm warn using --force Recommended protections disabled.

up to date, audited 914 packages in 957ms

225 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
~/workarea/rep/monorepo-npm-audit-fix-issue $ npm ls
monorepo@1.0.0 /Users/milaninfy/workarea/rep/monorepo-npm-audit-fix-issue
├─┬ @mammothcyber/package-a@1.0.0 -> ./package-a
│ ├── @swc/cli@0.5.1
│ ├── next@14.2.18
│ ├── nextra-theme-docs@3.2.4
│ └── nextra@3.2.4
└─┬ @mammothcyber/package-b@1.0.0 -> ./package-b
  ├── @swc/cli@0.5.1 deduped
  └── nextra@3.2.4

~/workarea/rep/monorepo-npm-audit-fix-issue $ git status
On branch main
Your branch is up to date with 'origin/main'.

nothing to commit, working tree clean
~/workarea/rep/monorepo-npm-audit-fix-issue $ npm -v
10.9.1

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
Bug thing that needs fixing Priority 2 secondary priority issue
Projects
None yet
Development

No branches or pull requests

3 participants