NPM audit fix for "tmp" package

[neil-hardlight]

Select Topic Area

Question

Body

Given the following package.json:

{
  "name": "my-test",
  "version": "1.0.0",
  "dependencies": {
    "tmp": "^0.0.33"
  }
}

Why does NPM not install v0.2.5 of "tmp" which has a low severity vulnerability fix when running npm audit fix? I thought the ^ symbol allowed for patch and minor updates. I see on the "tmp" package homepage mention of some (seemingly) accidental breaking changes that were reverted in later versions of the tmp package. Is there a registry of breaking versions that npm audit fix queries to override the semantic versioning and use of ^?

"Previously Undocumented Breaking Changes" https://www.npmjs.com/package/tmp/v/0.2.5?activeTab=versions

If I update the package,json to "tmp": "^0.2.0" then NPM installs 0.2.4 but not 0.2.5. Which also confuses me :)

Thanks,
Neil

[neil-hardlight]

Amazing - thank you for the very detailed response.

Unfortunately the npm audit issue I'm experiencing comes from other 3rd party libs, specifically: We use "ioredis-mock" which uses "fengari" which uses "tmp" ^0.0.33.

At least I understand the issue now, and hopefully these other 3rd party modules will apply the necessary fixes to remove the low severity vulnerability.

[neil-hardlight]

Weirdly [email protected] no longer appears to be deprecated and now gets installed when "tmp": "^0.2.0" is used. There's no deprecated warning when running npm info [email protected].