[BUG] npm audit fix --force tries to download non-existing packages

[XC-]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

npm audit fix --force attempts to update nodemon and got. New nodemon version should be 2.0.20, but npm audit also tries to fetch got version 2.0.20 which does not exist. Closest got version is 2.0.0, which is 8 years old, latest being 12.5.2.

npm audit --audit-level high:

fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/got
node_modules/package-json/node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        nodemon  1.3.5 - 2.0.16 || 2.0.18
        Depends on vulnerable versions of update-notifier
        node_modules/nodemon

npm audit fix --force:

npm WARN audit Updating got to 2.0.20, which is outside your stated dependency range.
npm WARN audit Updating nodemon to 2.0.20, which is outside your stated dependency range.
npm ERR! code ETARGET
npm ERR! notarget No matching version found for [email protected].
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.

Expected Behavior

nodemon version should not "leak" to got version download.

Steps To Reproduce

dependencies:

"devDependencies": {
    "@types/amqplib": "0.8.2",
    "@types/dotenv": "8.2.0",
    "@types/got": "9.6.12",
    "@types/jest": "27.0.0",
    "@types/node": "15.0.2",
    "@types/uuid": "8.3.4",
    "@types/winston": "2.4.4",
    "@typescript-eslint/eslint-plugin": "4.33.0",
    "@typescript-eslint/parser": "4.33.0",
    "amqplib": "0.8.0",
    "eslint": "7.32.0",
    "eslint-config-prettier": "7.2.0",
    "eslint-plugin-import": "2.25.4",
    "eslint-plugin-prettier": "3.4.1",
    "jest": "27.5.1",
    "nodemon": "2.0.15",
    "prettier": "2.5.1",
    "ts-jest": "27.1.3",
    "ts-node": "9.1.1",
    "typescript": "4.2.4"
  },
  "dependencies": {
    "dotenv": "9.0.1",
    "got": "11.8.3",
    "pdfjs-dist": "^2.8.335",
    "uuid": "8.3.2",
    "winston": "3.6.0"
  }

Some packages have been removed since I cannot share them. Same goes for package-lock.json.

Environment

• npm: 9.0.0
• Node.js: 16.14.0
• OS Name: Manjaro LInux
• System Model Name: Lenovo ThinkPad

The problem also occurs with npm version 8.19.2

[lukekarrys]

Reproduced on 9.1.0 also.