[BUG] `npm audit fix` adds redundant dependencies in workspaces

[jlin-appaegis]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

An additional package is added as a dependency to existing workspaces, even though it is not listed as a dependency of the existing workspace in the package.json originally.

Expected Behavior

npm audit fix --force should only upgrade existing vulnerable dependencies. It should NOT add new dependencies to workspaces unless explicitly defined in the package.json originally.

Steps To Reproduce

1. Clone the example repository
2. Install dependencies using npm ci.
3. Run npm audit fix --force to address all vulnerabilities.
4. The additional @swc/cli is added to the workspace package-a, however, the workspace package-a doesn't need it.

Environment

• npm: 10.9.1
• Node.js: 21.5.0
• OS Name: macOS 14.6.1
• System Model Name: Macbook Pro 14-inch, 2021
• npm config:

; "user" config from /Users/jamie/.npmrc

; node bin location = /Users/jamie/.nvm/versions/node/v21.5.0/bin/node
; node version = v21.5.0
; npm local prefix = /Users/jamie/Sources/monorepo
; npm version = 10.9.1
; cwd = /Users/jamie/Sources/monorepo
; HOME = /Users/jamie
; Run `npm config ls -l` to show all defaults.

[milaninfy]

@jlin-appaegis
package-a and package-b does need that @swc/cli dependency as stated from your example repo

https://github.com/jlin-appaegis/monorepo-npm-audit-fix-issue/blob/90381b7cdfe30ceee9f48d960a4e0a78433ad2eb/package-a/package.json#L11-L16

https://github.com/jlin-appaegis/monorepo-npm-audit-fix-issue/blob/90381b7cdfe30ceee9f48d960a4e0a78433ad2eb/package-b/package.json#L6-L8

also running npm ls against package-lock shows that it needs and it's there

~/workarea/rep/monorepo-npm-audit-fix-issue $ npm ls --package-lock-only
monorepo@1.0.0 /Users/milaninfy/workarea/rep/monorepo-npm-audit-fix-issue
├─┬ @mammothcyber/package-a@1.0.0 -> ./package-a
│ ├── @swc/cli@0.5.1
│ ├── next@14.2.18
│ ├── nextra-theme-docs@3.2.4
│ └── nextra@3.2.4
└─┬ @mammothcyber/package-b@1.0.0 -> ./package-b
  ├── @swc/cli@0.5.1 deduped
  └── nextra@3.2.4

~/workarea/rep/monorepo-npm-audit-fix-issue $ npm ci

added 911 packages, and audited 914 packages in 10s

225 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
~/workarea/rep/monorepo-npm-audit-fix-issue $ npm ls
monorepo@1.0.0 /Users/milaninfy/workarea/rep/monorepo-npm-audit-fix-issue
├─┬ @mammothcyber/package-a@1.0.0 -> ./package-a
│ ├── @swc/cli@0.5.1
│ ├── next@14.2.18
│ ├── nextra-theme-docs@3.2.4
│ └── nextra@3.2.4
└─┬ @mammothcyber/package-b@1.0.0 -> ./package-b
  ├── @swc/cli@0.5.1 deduped
  └── nextra@3.2.4

~/workarea/rep/monorepo-npm-audit-fix-issue $ git status
On branch main
Your branch is up to date with 'origin/main'.

nothing to commit, working tree clean
~/workarea/rep/monorepo-npm-audit-fix-issue $ npm audit fix --force
npm warn using --force Recommended protections disabled.

up to date, audited 914 packages in 957ms

225 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
~/workarea/rep/monorepo-npm-audit-fix-issue $ npm ls
monorepo@1.0.0 /Users/milaninfy/workarea/rep/monorepo-npm-audit-fix-issue
├─┬ @mammothcyber/package-a@1.0.0 -> ./package-a
│ ├── @swc/cli@0.5.1
│ ├── next@14.2.18
│ ├── nextra-theme-docs@3.2.4
│ └── nextra@3.2.4
└─┬ @mammothcyber/package-b@1.0.0 -> ./package-b
  ├── @swc/cli@0.5.1 deduped
  └── nextra@3.2.4

~/workarea/rep/monorepo-npm-audit-fix-issue $ git status
On branch main
Your branch is up to date with 'origin/main'.

nothing to commit, working tree clean
~/workarea/rep/monorepo-npm-audit-fix-issue $ npm -v
10.9.1

[jlin-appaegis]

@milaninfy
Perhaps when I tried to reproduce the issue, I also committed the affected part into the repository. However, I have now confirmed that this issue can no longer be reproduced. I’m very sorry for wasting your time reviewing this unreproducible issue, and I’m embarrassed that it took me so long to notice this reply.