How to fix phoenix npm security vulnerabilities?

Hello. After figuring out how to downgrade npm, I ran it and was greeted with
found 16 vulnerabilities (6 moderate, 10 high)
npm audit fix is unable to fix them. Is there a standard place I can go to fix my application’s security?

We have no idea what you are trying to do. First of all newly generated app does not have package.json. You are of course free to create it and add dependencies, but we have completely no idea what are you putting there. There may be outdated dependencies or even no longer maintained. Secondly why do you downgrade something and expect everything would work as before? If old npm version have vulnerabilities you need to upgrade it back. Since you did not said why did you downgrade it we have no idea what and why you are doing and therefore there is absolutely no way to guide you.

Also it may be not in this case, but maybe you have called npm audit fix in root project directory. All npm (at least by default) should be called with current working directory set to assets instead of root directory.

Hi. Sorry if I was not clear.
I was trying to run npm install in the default assets directory. I tried many variations of npm install, and they all failed horribly. Some dependencies would not work with the latest version of node.

Finally I found this post: telling me to downgrade to Node 14, which I did. However, downgrading also gave me this

ixed 0 of 16 vulnerabilities in 960 scanned packages
  2 vulnerabilities required manual review and could not be updated
  4 package updates for 14 vulnerabilities involved breaking changes
  (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)

I asked my question because I could not find resources on how to best deal with the vulnerabilities present in the default package.json file. Thank you.

As @Eiji mentioned above, new Phoenix projects no longer have a default package.json. We don’t know what is in yours. There is no specific Phoenix incantation to manage this, so you should research the regular node ways to resolve these.


It’s nice you have linked something, but pay attention that it’s no longer up-to-date. As said above newest phoenix generators does not requires npm installs (as of esbuild and tailwind installers). We still have no idea what dependencies you want to use.

As in issue you linked I would go with change dependencies like they suggested with node-sass -> sass. I guess that if some packages for a longer time does not support latest node version then they may be outdated. If so in long term fixing issues manually does not makes sense and it’s not worth for a single developer. If we look for example at Elixir we notice that it added support for latest Erlang in a patch release (like 1.13.4 added minimal support for OTP 25). It’s not always so easy, but in general I would recommend to search for alternative dependencies.

If we agree on above then let’s go back to 1st paragraph i.e. we have no idea which alternatives we could suggest you. That’s it … at least for dependencies part …

Again all you said is that you have downgraded node, but we still have no idea to which version. :sweat_smile:

asdf is widely recommended on this forum tool for environment setup. Using it you can install and manage multiple versions of Erlang, Elixir, PostgreSQL, NodeJS and many other … If for example node versions 20.x are too new for you then you should choose 19.9.0 instead of 19.0.0.

If you still want to keep outdated software for some reason then you need to be aware with consequences and using npm audit tool you should make changes manually (as npm audit fix suggests). I cannot advice you more without any information as simply we don’t even know what you want to audit.

Also since it’s strictly node-related question I would advice to try on their forums (if any). With LiveView (soon also Hologram) we don’t have much work with JavaScript anymore (except big dependencies/popular/often updated dependencies and of course our own code like Hooks) and in longer time less percent of our forum users would be specialists in NodeJS.


Ok. Thanks for your help. I will look into it. My dependencies are from running mix, I must be using an old version of phoenix.

You can try

npm outdated 

in the assets folder

1 Like

Try mix archive.install hex phx_new --force - when writing this reply the latest phx_new version is 1.7.7. You most probably have 1.6.x or even lower.

1 Like