cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[BUG] `--legacy-peer-deps` doesn't work for `npm audit fix`

Open VTrngNghia opened this issue 3 years ago • 1 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

As per npm-audit documentations, I'd expect flag --legacy-peer-deps to work with npm audit fix. It does not.

... since npm audit fix runs a full-fledged npm install under the hood, all configs that apply to the installer will also apply to npm install -- so things like npm audit fix --package-lock-only will work as expected.

Expected Behavior

Flag --legacy-peer-deps should work with npm audit fix

Steps To Reproduce

I ran npm audit fix and encountered this error

npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! While resolving: [email protected]
npm ERR! Found: [email protected]
npm ERR! node_modules/react-scripts
npm ERR!   react-scripts@"^5.0.1" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer react-scripts@"^4.0.0" from @craco/[email protected]
npm ERR! node_modules/@craco/craco
npm ERR!   @craco/craco@"^6.1.2" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.

I ran again with npm audit fix --legacy-peer-deps to no effect. The error was exactly the same.

Environment

  • npm: 8.11.0
  • Node.js: 16.15.0
  • OS Name: MacOS 12.3.1
  • System Model Name: MacBook Air M1 (2020)
  • npm config:
; "user" config from /Users/nghiavt/.npmrc

@fortawesome:registry = "https://npm.fontawesome.com/"
//npm.fontawesome.com/:_authToken = (protected)
registry = "https://registry.npmjs.org/"

; node bin location = /Users/nghiavt/.nvm/versions/node/v16.15.0/bin/node
; node version = v16.15.0
; npm local prefix = /Users/nghiavt/Projects/(protected)
; npm version = 8.11.0
; cwd = /Users/nghiavt/Projects/(protected)
; HOME = /Users/nghiavt
; Run `npm config ls -l` to show all defaults.```

VTrngNghia avatar Jun 01 '22 03:06 VTrngNghia

I have this problem as well. Is there a workaround?

J3m5 avatar Jul 25 '22 09:07 J3m5

I also have this issue. Would be nice to have ability to set --legacy-peer-deps flag for npm audit fix --package-lock-only. We should be able to fix audit issue only related to package-lock. If I run npm audit fix --package-lock-only --force it seems to ignore --package-lock-only and updates both package.json and package-lock.json and introduces breaking changes.

ihor-panasiuk95 avatar Nov 09 '22 10:11 ihor-panasiuk95

Hi @VTrngNghia , Could you please provide actual steps and a package.json sample

siemhesda avatar Dec 01 '23 18:12 siemhesda