npm audit reports high-severity vulnerabilities but npm audit fix resolves none in Kafka-UI

[lobsangshakya]

I am working with Kafka-UI and noticed that npm audit reports several high-severity vulnerabilities, but running npm audit fix results in:

fixed 0 of X vulnerabilities

Even after removing node_modules and regenerating package-lock.json, the warnings persist. This appears to be related to transitive dependencies and peer dependency constraints, where no compatible patched versions are available yet.

Is the recommended approach in this case to:

Manually upgrade specific direct dependencies,
Use npm overrides cautiously, or

Wait for upstream dependency updates from maintainers?

Looking for guidance on the safest way to handle this without breaking peer dependencies or build stability.

[lobsangshakya]

This behavior is expected when reported vulnerabilities exist only in transitive dependencies and no compatible patched versions satisfy existing peer dependency constraints.

In Kafka-UI’s case, npm audit fix cannot apply updates safely because:

1. Vulnerable packages are not direct dependencies
2. Upgrading them would break peer dependency ranges enforced by upstream libraries
3. No non-breaking versions are currently available in the dependency graph

The recommended and safest approaches are:

1. Avoid forcing fixes (--force or aggressive overrides) in production builds
2. Manually update direct dependencies only when compatible versions are released
3. Monitor upstream packages and security advisories for patched releases
4. Accept that some audit warnings are informational until upstream maintainers resolve them

This approach preserves build stability while avoiding peer dependency breakage.

[Haarolean]

#4255
https://github.com/kafbat/kafka-ui