-2

Executing the npm audit. It will be enough to show just last three issues - all of them has "fix available via `npm audit fix" message:

enter image description here

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/tar

tmp  <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
fix available via `npm audit fix`
node_modules/tmp

undici  <=5.28.5
Severity: high
undici before v5.8.0 vulnerable to CRLF injection in request headers - https://github.com/advisories/GHSA-3cvr-822r-rqcc
undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect - https://github.com/advisories/GHSA-q768-x9m6-m9qp
Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type - https://github.com/advisories/GHSA-f772-66g8-q5h3
`undici.request` vulnerable to SSRF using absolute URL on `pathname` - https://github.com/advisories/GHSA-8qr4-xgw6-wmr3
Regular Expression Denial of Service in Headers - https://github.com/advisories/GHSA-r6ch-mqf9-qc9w
CRLF Injection in Nodejs ‘undici’ via host - https://github.com/advisories/GHSA-5r9g-qh6m-jxff
Undici's cookie header not cleared on cross-origin redirect in fetch - https://github.com/advisories/GHSA-wqq4-5wpv-mx2g
Undici proxy-authorization header not cleared on cross-origin redirect in fetch - https://github.com/advisories/GHSA-3787-6prv-h9w3
Use of Insufficiently Random Values in undici - https://github.com/advisories/GHSA-c76h-2ccp-4975
undici Denial of Service attack via bad certificate data - https://github.com/advisories/GHSA-cxrh-j4jr-qwg3
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect - https://github.com/advisories/GHSA-9qxr-qj54-h672
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline - https://github.com/advisories/GHSA-m4v8-wqvr-p9f7
fix available via `npm audit fix`
node_modules/undici

10 vulnerabilities (1 low, 1 moderate, 8 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

All dependencies mentioned above are transitive ones, it means none of them has been directly installed thus none of them listed in package.json.

Executing npm audit fix. As you see the message is completely the same, and the number of vulnerabilities has not changed:

enter image description here

Why nothing has changed?

Versions:

  • Node.js: 22.15.0 (current Maintenance LTS)

  • npm: 10.9.0

Improve this question
4
  • 2
    please add a focused, answerable question to your post Commented 5 hours ago
  • Please don't post textual information in the form of pictures. Please see: Why should I not upload images of code/data/errors? If you still need an image, it can complement the textual information. Commented 3 hours ago
  • "Does npm audit fix do nothing?" - no. Commented 2 hours ago
  • @SergeyAKryukov I have appended the plain text version of console output. Not sure about the monotonous text is more readable than the image version. Commented 1 hour ago
Related questions
1520
How to fix npm throwing error without sudo
5
I cannot fix node vulnerabilities even with npm audit fix --force
0
4 vulnerabilities - 11ty install. How i should fix this?
Load 5 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.