Issue with npm audit fix failing to resolve high-severity vulnerabilities

[lobsangshakya]

Select Topic Area

Question

Body

I am currently working on a project where npm audit is reporting several high-severity vulnerabilities. When I run npm audit fix, it returns 'fixed 0 of X vulnerabilities.' I have tried deleting node_modules and the package-lock.json file, but the issue persists. Has anyone encountered a way to manually override these dependencies without breaking the peer dependencies of other packages?

[jon421553-bot]

I found your points in this discussion really helpful, especially how you clearly explain the issue and encourage collaboration to find a solution. It’s great when a technical topic is broken down in a way that invites others to jump in and learn, rather than feeling overwhelmed. I also appreciate how you acknowledge different environments and use cases, because that often makes a big difference in how people approach debugging. I’m curious — based on what you’ve seen, is there a common pattern or environment where this issue tends to show up most frequently?

[lobsangshakya]

Thanks for the feedback, appreciate it.

This issue most commonly appears in projects with deep or legacy dependency trees, where vulnerable packages exist as transitive dependencies and no compatible patched version is available. npm audit fix cannot resolve these safely due to peer dependency constraints, so reinstalling node_modules or regenerating package-lock.json does not change the outcome.

It is frequently seen in large frontend frameworks, monorepos, or tightly version-pinned ecosystems, where upgrading one dependency risks breaking others. In such cases, the only reliable options are manually upgrading direct dependencies, using dependency overrides cautiously, or waiting for upstream maintainers to release compatible fixes.

Interested to hear if others have observed the same behavior in similar setups.

[micheal000010000-hub]

I’ve seen this mainly in frontend projects where high-severity issues come from transitive dependencies of outdated or unmaintained npm packages. npm audit fix cannot resolve them due to peer dependency constraints, so reinstalling doesn’t help. In some cases, simply removing or replacing the problematic package eliminates all high vulnerabilities. Leaving multiple high-severity issues unfixed can also block deployments or cause runtime failures, where the package doesn’t behave as expected in production. Choosing dependencies compatible with your React/TypeScript/Node versions is critical.

[sakthimurugesanr]

This happens because the vulnerable packages are indirect (transitive) dependencies, not ones you installed yourself. npm audit fix won’t update them if doing so would break other dependencies, so it reports “fixed 0 of X vulnerabilities.” Deleting node_modules or package-lock.json doesn’t help because npm installs the same dependency tree again.

How to fix it:
Update the parent package that brings in the vulnerable dependency.
Use overrides in package.json to force a safe version.
If it’s a dev-only issue, it’s usually safe to document and ignore.

This is normal npm behavior, not a problem with your project setup.

[mur-ii]

Since npm audit fix is returning 0 fixes and a clean reinstall didn't resolve the issue, you are likely dealing with deep dependencies where the parent package hasn't released a patch yet. Instead of waiting for an update or risking a breaking change, you can manually override the dependency resolution using the overrides field in your package.json (available in npm v8.3+). Simply add an overrides object at the root of your package.json specifying the vulnerable package name and the secure version (e.g., "overrides": { "vulnerable-pkg": "^2.1.0" }), then run npm install to apply the changes. This forces the dependency tree to use the patched version for all nested occurrences without breaking other peer dependencies.

[shantnoothakur]

Yes, this is a common situation, and it usually means the vulnerabilities are coming from transitive dependencies where npm cannot safely apply updates without risking breaking changes.

When npm audit fix reports “fixed 0 of X vulnerabilities,” it typically indicates one or more of the following:

The vulnerable packages are required by upstream dependencies that have not released patched versions yet.

Fixing them would require major version upgrades, which npm audit fix will not apply automatically.

The affected packages are constrained by peer dependency requirements, preventing npm from resolving to safer versions.

If you need to override these dependencies manually, there are a few established approaches:

1. Use overrides (npm v8+)
   You can force specific dependency versions via the overrides field in package.json. This allows you to replace vulnerable transitive dependencies without modifying node_modules directly. However, you should test carefully, as overrides can still introduce runtime incompatibilities.

2. Upgrade or replace the parent dependency
   Check which top-level packages depend on the vulnerable modules (npm audit or npm ls helps). Upgrading or switching those packages is often the safest long-term fix.

3. Accept and document the risk
   Some vulnerabilities are not exploitable in your usage context (e.g., build-time tools). In such cases, teams often document the risk, suppress the warning, and monitor for upstream fixes.

4. Avoid editing node_modules directly
   Manual edits will be overwritten on install and usually cause more instability, especially with peer dependencies.

In short, there is no safe universal way to “force-fix” these vulnerabilities without potential side effects. Using overrides combined with thorough testing is the closest supported option, but the preferred solution is waiting for or contributing to upstream fixes when possible.

[howtoquitvivek]

This usually happens when the vulnerable packages are either transitive dependencies or the fixes require breaking changes that npm won’t apply automatically.

Here are a few safe options you can try:

1. Check which packages are causing the issue
   Run:
   npm audit
   or
   npm audit --json
   This will show whether the vulnerabilities are in direct or indirect dependencies.

2. Use npm overrides (recommended)
   If you’re on npm v8+, you can force patched versions without breaking peer dependencies:

In package.json:
"overrides": {
"vulnerable-package-name": "patched-version"
}

Then run:
npm install

3. Try updating the top-level dependency
   Often the vulnerable package comes from a parent dependency. Updating that package usually resolves multiple audit issues:
   npm outdated
   npm update

4. Use npm audit fix --force cautiously
   This may introduce breaking changes, so only use it if you’ve reviewed the impact:
   npm audit fix --force

5. Consider ignoring non-runtime vulnerabilities
   If the issues are only in devDependencies and don’t affect production, you can document and monitor them instead of forcing upgrades.

In most cases, overrides or updating the parent dependency is the safest approach.
Let me know if this helps or if you want to share which package is causing the audit warnings.