Fixing vulnerabilities reported by npm audit

Question

I'm trying to fix 3 vulnerabilities identified by npm audit, but it seems like these cant be resolved automatically with npm audit fix.

❯ npm audit fix
npm WARN audit fix ansi-regex@5.0.0 node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex
npm WARN audit fix ansi-regex@5.0.0 is a bundled dependency of
npm WARN audit fix ansi-regex@5.0.0 npm@8.5.0 at node_modules/npm
npm WARN audit fix ansi-regex@5.0.0 It cannot be fixed automatically.
npm WARN audit fix ansi-regex@5.0.0 Check for updates to the npm package.
npm WARN audit fix ansi-regex@3.0.0 node_modules/npm/node_modules/string-width/node_modules/ansi-regex
npm WARN audit fix ansi-regex@3.0.0 is a bundled dependency of
npm WARN audit fix ansi-regex@3.0.0 npm@8.5.0 at node_modules/npm
npm WARN audit fix ansi-regex@3.0.0 It cannot be fixed automatically.
npm WARN audit fix ansi-regex@3.0.0 Check for updates to the npm package.
npm WARN audit fix strip-ansi@4.0.0 node_modules/npm/node_modules/string-width/node_modules/strip-ansi
npm WARN audit fix strip-ansi@4.0.0 is a bundled dependency of
npm WARN audit fix strip-ansi@4.0.0 npm@8.5.0 at node_modules/npm
npm WARN audit fix strip-ansi@4.0.0 It cannot be fixed automatically.
npm WARN audit fix strip-ansi@4.0.0 Check for updates to the npm package.
npm WARN audit fix string-width@2.1.1 node_modules/npm/node_modules/string-width
npm WARN audit fix string-width@2.1.1 is a bundled dependency of
npm WARN audit fix string-width@2.1.1 npm@8.5.0 at node_modules/npm
npm WARN audit fix string-width@2.1.1 It cannot be fixed automatically.
npm WARN audit fix string-width@2.1.1 Check for updates to the npm package.

up to date, audited 1898 packages in 3s

185 packages are looking for funding
  run `npm fund` for details

# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex
node_modules/npm/node_modules/string-width/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/npm/node_modules/string-width/node_modules/strip-ansi
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/npm/node_modules/string-width

3 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix

I'm not sure if this is related to this existing bug or not, as the WARN messages specifically state that it cannot be fixed automatically.

How can I fix these?

I've tried the going through the answers in this similar SO post, but that doesnt resolve any of them. I've tried installing the latest ansi-regex, but hat doesnt make any difference.

Is there any way for me to identify which dependency I have explicitly introduced (i.e. is in my dependencies or devDependencies in package.json) that has implicitly pull in this vulnerable dependency? None of the packages mentioned in the message exist in my package.json.

ansi-regex is mentioned 49 times in my package-lock.json - do I need to sift through all these and tweak versions manually (sounds dangerous).

Sorry for such a generic (yet very specific) question. Any help would be appreciated!

Answer 1

I had this issue as well and found this answer very helpful. Please read the comments though because it can cause issues if you don't have thorough enough test coverage. Also, I am using shrinkwrap in place of package-lock, so I deleted my shrinkwrap file, not package-lock.

I had deleted my lock file, but the key for me was deleting the node_modules directory.

Best of luck!