npm audit complains about vulnerability after I upgraded package

Question

I installed an npm package called [email protected] and in part of the output npm says:

found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

So I run npm audit fix but it says it can't fix it:

fixed 0 of 1 vulnerability in 202 scanned packages
  1 vulnerability required manual review and could not be updated

So I run npm audit and I get this message:

$ npm audit

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  High            Arbitrary Code Execution

  Package         underscore

  Patched in      >=1.12.1

  Dependency of   bbfy

  Path            bbfy > underscore

  More info       https://npmjs.com/advisories/1674

found 1 high severity vulnerability in 202 scanned packages
  1 vulnerability requires manual review. See the full report for details.

So I go to the webpage referenced, and it tells me to upgrade underscore to "versions 1.12.1 or 1.13.0-2 or later", so I run this command:

$ npm i [email protected]
[snip]
+ [email protected]
updated 1 package and audited 202 packages in 2.726s
[snip]
found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

Still complaining about 1 vulnerability though. I checked with npm audit and its the same underscore vulnerability. So did I fix the problem or not? If I didn't, what went wrong?

Answer 1

NPM will install multiple copies of a package to satisfy conflicting version requirements in the packages that depend on it (including your own project at the top level).

An older, vulnerable version of underscore is installed because the bbfy package depends on that older version. What your npm i command did was to install another separate copy of underscore at the later version you requested. (You can remove that one, unless you'll be using underscore directly in your project.)

Since bbfy hasn't been updated in five years, the only way to work around this will be to override the dependency with npm shrinkwrap. (This might produce broken code, but I doubt underscore has changed in any problematic way from 1.8 to 1.12.)