[BUG] npm audit fix command is deleting npm sections from package.json

[alvarocamillont]

Current Behavior:

When I run npm audit fix on my project, it is deleting sessions of my package.json file such as "description" and "scripts"

Expected Behavior:

I expect the command only change my dependencies.

Steps To Reproduce:

1. clone this repo https://github.com/po-ui/po-angular.git
2. Run npm i
3. Run npm audit fix
4. See package.json

Environment:

• OS: Ubuntu 20.04
• Node: v12.18.2
• NPM: 7.0.0-beta.5

[ruyadorno]

Minimal reproduction steps:

BEFORE

$ cat package-lock.json
{
  "name": "test-npm-audit-messing-up-package-json",
  "version": "1.0.0",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "version": "1.0.0",
      "license": "ISC",
      "dependencies": {
        "dot-prop": "^4.2.0"
      }
    },
    "node_modules/dot-prop": {
      "version": "4.2.0",
      "resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz",
      "integrity": "sha512-tUMXrxlExSW6U2EXiiKGSBVdYgtV8qlHL+C10TsW4PURY/ic+eaysnSkwB4kA/mBlCyy/IKDJ+Lc3wbWeaXtuQ==",
      "dependencies": {
        "is-obj": "^1.0.0"
      },
      "engines": {
        "node": ">=4"
      }
    },
    "node_modules/is-obj": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/is-obj/-/is-obj-1.0.1.tgz",
      "integrity": "sha1-PkcprB9f3gJc19g6iW2rn09n2w8=",
      "engines": {
        "node": ">=0.10.0"
      }
    }
  },
  "dependencies": {
    "dot-prop": {
      "version": "4.2.0",
      "resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz",
      "integrity": "sha512-tUMXrxlExSW6U2EXiiKGSBVdYgtV8qlHL+C10TsW4PURY/ic+eaysnSkwB4kA/mBlCyy/IKDJ+Lc3wbWeaXtuQ==",
      "requires": {
        "is-obj": "^1.0.0"
      }
    },
    "is-obj": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/is-obj/-/is-obj-1.0.1.tgz",
      "integrity": "sha1-PkcprB9f3gJc19g6iW2rn09n2w8="
    }
  }
}

$ cat package.json
{
  "name": "test-npm-audit-messing-up-package-json",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "repository": "ruyadorno/test-npm-audit-messing-up-package-json",
  "scripts": {
    "hello": "echo \"Hello\"",
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "dependencies": {
    "dot-prop": "^4.2.0"
  }
}

AFTER

$ npm audit fix
$ git diff
diff --git a/package-lock.json b/package-lock.json
index 8f79ef5..cbe450e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -12,9 +12,9 @@
       }
     },
     "node_modules/dot-prop": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz",
-      "integrity": "sha512-tUMXrxlExSW6U2EXiiKGSBVdYgtV8qlHL+C10TsW4PURY/ic+eaysnSkwB4kA/mBlCyy/IKDJ+Lc3wbWeaXtuQ==",
+      "version": "4.2.1",
+      "resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.1.tgz",
+      "integrity": "sha512-l0p4+mIuJIua0mhxGoh4a+iNL9bmeK5DvnSVQa6T0OhrVmaEa1XScX5Etc673FePCJOArq/4Pa2cLGODUWTPOQ==",
       "dependencies": {
         "is-obj": "^1.0.0"
       },
@@ -33,9 +33,9 @@
   },
   "dependencies": {
     "dot-prop": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz",
-      "integrity": "sha512-tUMXrxlExSW6U2EXiiKGSBVdYgtV8qlHL+C10TsW4PURY/ic+eaysnSkwB4kA/mBlCyy/IKDJ+Lc3wbWeaXtuQ==",
+      "version": "4.2.1",
+      "resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.1.tgz",
+      "integrity": "sha512-l0p4+mIuJIua0mhxGoh4a+iNL9bmeK5DvnSVQa6T0OhrVmaEa1XScX5Etc673FePCJOArq/4Pa2cLGODUWTPOQ==",
       "requires": {
         "is-obj": "^1.0.0"
       }
diff --git a/package.json b/package.json
index 72be34c..608c9ff 100644
--- a/package.json
+++ b/package.json
@@ -1,17 +1,8 @@
 {
-  "name": "test-npm-audit-messing-up-package-json",
   "version": "1.0.0",
-  "description": "",
-  "main": "index.js",
-  "repository": "ruyadorno/test-npm-audit-messing-up-package-json",
-  "scripts": {
-    "hello": "echo \"Hello\"",
-    "test": "echo \"Error: no test specified\" && exit 1"
-  },
-  "keywords": [],
-  "author": "",
   "license": "ISC",
   "dependencies": {
     "dot-prop": "^4.2.0"
-  }
+  },
+  "name": "test-npm-audit-messing-up-package-json"
 }

[ruyadorno]

It happens only on npm audit fix, tried it with npm install dot-prop@legacy and can't reproduce the problem.

[snypelife]

I have also experienced this with npm ci. Perhaps I should open another issue for this?

[isaacs]

@snypelife Nah, one is fine. I'm thinking it's the same core issue in Arborist anyway.

[isaacs]

Fixed in latest v7 beta. Thanks!