npm audit fix --force oscillates forever between two vulnerable versions #41680
Labels
wrong repo
Issues that should be opened in another repository.
Comments
|
The repository for npm is https://github.com/npm/cli. Please open the issue there. This is not the first time that you've opened npm issues in this repository and been told that it is not the right place. What can we do to stop you from opening npm issues in this repository? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version
v16.13.2
Platform
Darwin najma.attlocal.net 21.2.0 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:41 PST 2021; root:xnu-8019.61.5~1/RELEASE_ARM64_T6000 arm64
Subsystem
No response
What steps will reproduce the bug?
npm audit fix --force.The first run will upgrade a package such as JSHint to 2.13.3. The next run will reset the package back to the old version.
Running a third time and a fourth repeats this behavior indefinitely.
How often does it reproduce? Is there a required condition?
Every time.
What is the expected behavior?
npm audit should behave idempotently.
What do you see instead?
npm audit --forcecycles between two bad versions, each featuring vulnerabilities.Additional information
No response
The text was updated successfully, but these errors were encountered: