[BUG] npm audit fix updates a module when it is a major change.

[kendraschwartz]

What / Why

npm audit fix updates the @angular-devkit/build-angular module from 0.803.26 to 0.901.7.
It seems that the audit registry reports to npm that the update is not a major one.
The update is to fix https://www.npmjs.com/advisories/1500.

When

When I run npm audit fix.

Current Behavior

• Audit fix updates the module.

Expected Behavior

• Audit fix shouldn't update the module since it is a major change.

Here is a command to reproduce the bug:

curl -X POST "https://registry.npmjs.org/-/npm/v1/security/audits" --header 'Content-Type: application/json' --data '{
"name": "debug",
"version": "1.0.0",
"requires": {
"@angular-devkit/build-angular": "~0.803.26"
},
"dependencies": {
"@angular-devkit/build-angular": {
"version": "0.803.26",
"dev": true,
"requires": {
"webpack-dev-server": "3.9.0"
}
},
"webpack-dev-server": {
"version": "3.9.0",
"dev": true,
"requires": {
"yargs": "12.0.5"
}
},
"yargs": {
"version": "12.0.5",
"dev": true,
"requires": {
"yargs-parser": "^11.1.1"
}
},
"yargs-parser": {
"version": "11.1.1",
"dev": true
}
},
"install": [],
"remove": [],
"metadata": {
"npm_version": "6.13.4",
"node_version": "v13.5.0",
"platform": "linux"
}
}'

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is reproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.