Hello and thanks for your time.
I performed the following npm audit in an angular application.
The 'fix available' section states that the issues can be addressed via 'npm audit fix' or 'npm audit fix --force'.
I have done so, and no matter which one I choose, it keeps returning the same audit report. Nothing is changing.
Does this have to do with some of the modules having dependencies on older versions of other modules?
for example, I updated semver to 7.5.2 which took care of it REDoS vulnerability. But it still shows up in the audit:
semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install tslint@4.5.1, which is a breaking change
node_modules/semver
semver-diff <=3.1.1
Depends on vulnerable versions of semver
node_modules/semver-diff
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
Depends on vulnerable versions of semver-diff
node_modules/update-notifier
tslint >=5.0.0-dev.0
Depends on vulnerable versions of semver
node_modules/tslint
Is this because there are other modules that have dependencies on an older version of semver? This seems to suggest that:
$ npm ls semver
backend@0.0.0 C:\Users\mhusb\Desktop\repos\backend
├─┬ nodemon@1.19.4
│ ├── semver@5.7.1
│ └─┬ update-notifier@2.5.0
│ ├─┬ latest-version@3.1.0
│ │ └─┬ package-json@4.0.1
│ │ └── semver@5.7.1
│ └─┬ semver-diff@2.1.0
│ └── semver@5.7.1
├─ semver@7.5.2
└─┬ tslint@6.1.3
└── semver@5.7.1
Even though I have updated semver to 7.5.2, the other modules still require an older version of it, which makes them vulnerable? Is that the correct way to think of this?
And how do I fix that? Update the modules that depend on the old semver?
Thanks for any suggestions or articles, site, guidance on this subject!
I have tried what the audit suggested, running npm audit fix and/or npm audit fix --force. Expected that to fix the vulns but it just kept returning the same report.
