From NPM’s site on their audit command: npm audit fix runs a full-fledged npm install under the hood And it seems that an audit fix only does semver-compatible upgrades by default. Listed earlier in the document: Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones: $ npm audit fix –force As … Read more
One of the create-react-app maintainers has announced that they cannot fix this as the vulnerabilities affect transitive dependencies, and that it should not matter. The reasoning is that the npm audit feature was built with Node apps in mind, not build tools. Vulnerabilities in the dependencies should (in most cases) not translate to vulnerabilities in … Read more
lodash-cli in devDependencies doesn’t affect how browser-sync works in your project, devDependencies are ignored when a package is installed as a dependency. What audit report says is that it’s easy-extender that has lodash dependency: browser-sync > easy-extender > lodash It depends on Lodash 3, while the problem was fixed in Lodash 4. The problem could … Read more