[BUG] npm won't update to higher version of package allowed by constraints, preventing security patching #7356
Description
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
For some reason when installing netlify-cli, npm decides to use a slightly lower version of follow-redirects and word-wrap which have known security vulnerabilities even though the version constraints allows the patched version:
❯ npm ls word-wrap follow-redirects
netcheck@1.0.0 /home/jones/workspace/projects-scrap/netcheck
├─┬ http-proxy@1.18.1
│ └── follow-redirects@1.15.6
├─┬ netlify-cli@17.22.0
│ ├─┬ @netlify/zip-it-and-ship-it@9.31.1
│ │ └─┬ precinct@11.0.2
│ │ └─┬ detective-amd@5.0.1
│ │ └─┬ escodegen@2.0.0
│ │ └─┬ optionator@0.8.3
│ │ └── word-wrap@1.2.3
│ └─┬ http-proxy@1.18.1
│ └── follow-redirects@1.15.1
└─┬ optionator@0.8.3
└── word-wrap@1.2.5
No matter what I do I can't get more information about why these lower versions are being used and doing npm update for these packages does nothing (having tried with all kinds of combos of "removing node_modules", "remove lockfile", "remove both", "remove ...")
npm audit also reports these vulnerabilities and says they're fixable but npm audit fix does nothing.
Expected Behavior
The latest version allowed by the constraint is used, especially when doing an explicit npm update <package>.
Steps To Reproduce
- install
netlify-cli - run
npm audit - run
npm audit fix - run
npm update follow-redirects - etc
Environment
- npm: 10.5.1
- Node.js: 20.11.0
- OS Name: Ubuntu 20.04
- System Model Name:
- npm config:
❯ npm config ls
; "user" config from /home/jones/.npmrc
audit = false
fund = false
; node bin location = /home/jones/.nodenv/versions/20.11.0/bin/node
; node version = v20.11.0
; npm local prefix = /home/jones/workspace/projects-scrap/netcheck
; npm version = 10.5.1
; cwd = /home/jones/workspace/projects-scrap/netcheck
; HOME = /home/jones
; Run `npm config ls -l` to show all defaults.