Fix Critical npm CVEs npm
Fix CRITICAL and HIGH severity CVEs in your npm dependencies. Paste package.json, get the exact patched version to download.
⚠ The Problem
npm audit reports CRITICAL or HIGH severity vulnerabilities but provides no fixed manifest to download. You have to manually find safe versions and edit the file.
Bad Configuration — package.json
{
"dependencies": {
"axios": "0.21.1",
"jsonwebtoken": "8.5.1"
}
}
Fixed Configuration — package.json
{
"dependencies": {
"axios": "1.7.4",
"jsonwebtoken": "9.0.0"
}
}
✓ Fix
axios 0.21.1 is affected by CVE-2023-45857 (HIGH). jsonwebtoken 8.5.1 is affected by CVE-2022-23540 (CRITICAL). Update to the safe versions above. After updating, run npm install.
Scan your dependencies now — paste your manifest, get a fixed version back in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
Frequently Asked Questions
What does CRITICAL mean in npm audit?
CRITICAL severity means a CVSS score ≥ 9.0. These vulnerabilities can often be exploited remotely with no authentication. Fix immediately.
How do I fix a critical vulnerability in a transitive dependency?
Use npm overrides in package.json to force a safe version: {"overrides": {"vulnerable-package": "safe-version"}}. PackageFix generates this override block automatically.
Does CISA KEV include npm packages?
Yes. Several npm packages (lodash, axios, jsonwebtoken) have appeared on CISA's Known Exploited Vulnerabilities catalog. PackageFix flags these with a red KEV badge.
How do I verify a CVE fix was applied?
After updating, run npm audit again. If the CVE ID is gone, the fix is applied. PackageFix shows a 'Re-scan' button to verify live.