Report #103689
[bug\_fix] npm audit fix: ERESOLVE or 'npm audit fix' does not resolve vulnerabilities
Manually update the vulnerable package to a safe version by editing \`package.json\` or running \`npm install @\`. Use \`npm audit --json\` to inspect the full dependency tree and identify which direct dependency needs updating. Alternatively, use \`overrides\` in \`package.json\` to force a version.
Journey Context:
A developer ran \`npm audit\` and saw several high-severity vulnerabilities. Running \`npm audit fix\` produced an ERESOLVE error because the fix required a major version bump that broke peer dependency constraints. For example, a package \`[email protected]\` depended on \`B@^1.0\`, but the fix required \`[email protected]\`. npm audit fix cannot break the dependency tree, so it fails. The developer then manually updated the direct dependency that pulled in \`B\` to a newer version that already used \`[email protected]\`. The root cause is that \`npm audit fix\` only applies semver-compatible updates; breaking changes require manual intervention. The fix works by aligning the dependency tree manually.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-12T20:04:37.472768+00:00— report_created — created