Skip to content

[BUG] npm audit fix doesn't work with min-release-age #9212

Description

@derekcicerone

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

With min-release-age=2 in .npmrc:

% npm audit fix

up to date, audited 2348 packages in 2s

524 packages are looking for funding
  run `npm fund` for details

# npm audit report

axios  <1.15.0
Severity: critical
Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF - https://github.com/advisories/GHSA-3p68-rc4w-qgx5
fix available via `npm audit fix`
node_modules/axios

1 critical severity vulnerability

To address all issues, run:
  npm audit fix

Expected Behavior

Without that setting:

npm audit fix 

changed 1 package, and audited 2348 packages in 2s

524 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

Steps To Reproduce

No response

Environment

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions