[BUG] `npm audit` makes unrelated minor/patch updates to packages that require a major update to fix

[36degrees]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Using @toolnate/once as an example, starting with 2.0.0 installed.

@toolnate/once has a vulnerability which is only fixed by updating to 3.0.1 (requiring the use of npm audit fix --force.

However running npm audit fix with no --force flag results in @toolnate/once being updated from 2.0.0 to 2.0.1, despite the fact this does not resolve the vulnerability.

Expected Behavior

I would expect npm audit fix only to make changes to installed packages where those changes resolve the vulnerabilities shown when running npm audit.

Steps To Reproduce

1. Run npm install @tootallnate/once@2.0.0
2. Run npm audit and note that the only vulnerability listed requires a major semver change and is shown as needing npm audit fix --force to resolve it
3. Run npm audit fix --long and note the unexpected change @tootallnate/once 2.0.0 => 2.0.1

npm audit fix --dry-run --json output

$ npm -v
11.14.1

npm audit fix --dry-run --json     
change @tootallnate/once 2.0.0 => 2.0.1
{
  "add": [],
  "added": 0,
  "audited": 2,
  "change": [
    {
      "from": {
        "name": "@tootallnate/once",
        "version": "2.0.0",
        "path": "/Users/oliver.byford/Code/npm-sandbox/node_modules/@tootallnate/once"
      },
      "to": {
        "name": "@tootallnate/once",
        "version": "2.0.1",
        "path": "/Users/oliver.byford/Code/npm-sandbox/node_modules/@tootallnate/once"
      }
    }
  ],
  "changed": 1,
  "funding": 0,
  "remove": [],
  "removed": 0,
  "audit": {
    "auditReportVersion": 2,
    "vulnerabilities": {
      "@tootallnate/once": {
        "name": "@tootallnate/once",
        "severity": "low",
        "isDirect": false,
        "via": [
          {
            "source": 1113977,
            "name": "@tootallnate/once",
            "dependency": "@tootallnate/once",
            "title": "@tootallnate/once vulnerable to Incorrect Control Flow Scoping",
            "url": "https://github.com/advisories/GHSA-vpq2-c234-7xj6",
            "severity": "low",
            "cwe": [
              "CWE-705"
            ],
            "cvss": {
              "score": 3.3,
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
            },
            "range": "<3.0.1"
          }
        ],
        "effects": [],
        "range": "<3.0.1",
        "nodes": [
          ""
        ],
        "fixAvailable": {
          "name": "@tootallnate/once",
          "version": "3.0.1",
          "isSemVerMajor": true
        }
      }
    },
    "metadata": {
      "vulnerabilities": {
        "info": 0,
        "low": 1,
        "moderate": 0,
        "high": 0,
        "critical": 0,
        "total": 1
      },
      "dependencies": {
        "prod": 2,
        "dev": 0,
        "optional": 0,
        "peer": 0,
        "peerOptional": 0,
        "total": 1
      }
    }
  }
}

Environment

• npm: 11.14.1
• Node.js: v22.15.0
• OS Name: macOS 26.4.1 (25E253)
• System Model Name: MacBook Pro
• npm config:

; node bin location = /Users/oliver.byford/.asdf/installs/nodejs/22.15.0/bin/node
; node version = v22.15.0
; npm local prefix = /Users/oliver.byford/Code/npm-sandbox
; npm version = 11.14.1
; cwd = /Users/oliver.byford/Code/npm-sandbox
; HOME = /Users/oliver.byford

[KaloudasDev]

@36degrees The issue is that npm audit fix applies the latest version within the same major range when a fix requires a major update, even if that version does not resolve the vulnerability. In your example, @tootallnate/once 2.0.1 is within the ^2.0.0 range, so npm upgrades to it even though the vulnerability is only fixed in 3.x.

This behavior is by design to avoid breaking changes, but it is confusing because npm audit fix claims to fix vulnerabilities while performing upgrades that do not fix them. The user only discovers this by running npm audit fix --dry-run or checking the output carefully.

The expected behavior is that npm audit fix should either:

1. Do nothing if no compatible version fixes the vulnerability, and explicitly state that --force is required.
2. Only apply updates that are directly referenced in the advisory as patched versions.

Until fixed, the workaround is to always run npm audit fix --dry-run first to see what changes will be made, and use npm audit fix --force when necessary, understanding the risk of breaking changes.