When installing bcrypt then running npm audit, it shows as having 4 moderate security vulnerabilities caused by dependencies with vulnerable versions of semver. It would be great if these could be updated to fix the problem.
GHSA-c2qf-rxjj-qqgw

The npm audit output on a clean install (npm i bcrypt) is below:

# npm audit report

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install bcrypt@5.0.1, which is a breaking change
node_modules/make-dir/node_modules/semver
  make-dir  2.0.0 - 3.1.0
  Depends on vulnerable versions of semver
  node_modules/make-dir
    @mapbox/node-pre-gyp  >=1.0.1
    Depends on vulnerable versions of make-dir
    node_modules/@mapbox/node-pre-gyp
      bcrypt  >=5.1.0
      Depends on vulnerable versions of @mapbox/node-pre-gyp
      node_modules/bcrypt

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

npm audit fix has no effect, and npm audit fix --force would revert back to an extremely old version.

npm audit report

semver <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
fix available via npm audit fix --force
Will install mongoose-encryption@1.2.2, which is a breaking change
node_modules/make-dir/node_modules/semver
node_modules/semver
make-dir 2.0.0 - 3.1.0
Depends on vulnerable versions of semver
node_modules/make-dir
@mapbox/node-pre-gyp >=1.0.1
Depends on vulnerable versions of make-dir
node_modules/@mapbox/node-pre-gyp
bcrypt >=5.1.0
Depends on vulnerable versions of @mapbox/node-pre-gyp
node_modules/bcrypt
mongoose-encryption 0.11.1 || >=1.2.3
Depends on vulnerable versions of semver
node_modules/mongoose-encryption

5 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

same here,I am also getting same but 5 moderate severity vunurabilities.
It it saying to npm audit fix --force, but mongoose encryption will be degraded.

Same here. The warning is appearing for me too.

in stackoverflow, I found people's suggestion regarding this issue was to delete package-json.lock and node_modules folder, and then npm install all the required packages again. see the link here: https://stackoverflow.com/questions/53089810/npm-install-gives-warnings-npm-audit-fix-not-working

Hi @esun237,

1. That is not the issue we're talking about. In that stackoverflow question, the problem is an error involving an invalid lock file. This error does not occur here. npm audit fix, instead of throwing an error, simply makes no changes and prints an identical audit report.
2. The npm audit warnings still happen on a fresh install. Try it yourself, install it into a brand new folder. Therefore, nothing will be fixed by deleting and reinstalling anything.

same problem...
tried to run npm audit fix --force but all in vain

There is a workaround here: Unitech/pm2#5623 (comment) but I would only do this as a workaround in exceptional cases. Still, bcrypt needs to be updated to the latest version of semver.

same here!

This is no longer an issue.