npm audit found high severity vulnerabilities

Fix 'npm audit found N vulnerabilities (M high severity)'. Get a patched package.json with all high severity CVEs resolved.

⚠ Error Message

found 3 high severity vulnerabilities

Root Cause

One or more of your npm dependencies has a known HIGH or CRITICAL CVE. npm audit reports it but npm audit fix may not be able to resolve it without breaking changes.

How to Fix

Paste your package.json into PackageFix to get a live CVE scan with safe fix versions.
Review the severity badges — CRITICAL and HIGH packages on the CISA KEV catalog are flagged in red.
Download the fixed package.json and run npm install to regenerate package-lock.json.
For transitive vulnerabilities, use the npm overrides block PackageFix generates.

What npm audit high severity means

When npm audit reports a high severity vulnerability, it means one or more packages in your dependency tree have a CVSS score between 7.0 and 8.9. These vulnerabilities can often be exploited remotely and should be fixed within your next release cycle.

CVSS Severity Scale

CRITICAL	CVSS 9.0–10.0 — Fix immediately
HIGH	CVSS 7.0–8.9 — Fix in next release cycle
MEDIUM	CVSS 4.0–6.9 — Fix when practical
LOW	CVSS 0.1–3.9 — Fix at convenience

Why npm audit fix doesn't resolve it

The most common reason npm audit fix won't resolve a high severity vulnerability is that the fix requires a major version bump. npm audit fix only applies semver-compatible updates — it won't automatically upgrade from express@4 to express@5 because that could introduce breaking changes.

# See what npm audit fix would do
npm audit fix --dry-run

# Force major version upgrades (test thoroughly first)
npm audit fix --force

# See the full vulnerability tree
npm audit --json | head -100

Fixing transitive high severity vulnerabilities

If the vulnerable package is not in your package.json directly — it's pulled in by another package — npm audit fix cannot resolve it automatically. You have two options:

Option 1 — npm overrides (recommended)

// Add to package.json
{
  "overrides": {
    "vulnerable-package": "safe-version"
  }
}

// Then reinstall
npm install

Option 2 — Update the parent package

# Find which package pulls in the vulnerability
npm ls vulnerable-package

# Update the parent package that depends on it
npm install parent-package@latest

Common high severity npm packages and fixes

Package	CVE	Safe Version	Fix Guide
cross-spawn	CVE-2024-21538	7.0.5+	Fix guide →
multer	CVE-2025-47944	2.1.1	Fix guide →
jsonwebtoken	CVE-2022-23529	9.0.0+	Fix guide →
axios	CVE-2023-45857	1.7.4+	Fix guide →
lodash	CVE-2021-23337	4.17.21	Fix guide →

Scan your full manifest

npm audit only covers your lockfile. PackageFix checks all 7 ecosystems, flags CISA KEV actively exploited packages, and generates the exact npm overrides block for transitive vulnerabilities.

Scan your dependencies now — paste your manifest, get a fixed version back in seconds.

Open PackageFix →

No signup · No CLI · No GitHub connection · Runs 100% in your browser

Frequently Asked Questions

Why can't npm audit fix resolve high severity vulnerabilities?

npm audit fix only applies semver-compatible updates. If the fix requires a major version bump, it won't apply automatically to avoid breaking changes.

What does 'high severity' mean in npm audit?

HIGH severity corresponds to a CVSS score of 7.0–8.9. These can often be exploited remotely. Fix within your next release cycle.

How do I fix a high severity vulnerability in a transitive dependency?

Use npm overrides in package.json: {"overrides": {"vulnerable-package": "safe-version"}}. PackageFix generates this snippet.

What is the difference between HIGH and CRITICAL in npm audit?

HIGH = CVSS 7.0–8.9, CRITICAL = CVSS 9.0–10.0. Both require prompt remediation. CRITICAL should be fixed immediately.