"npm audit fix" doesn't fix vulnerabilities and instead keeps reporting the same message

Executing the npm audit. It will be enough to show just last three issues - all of them has "fix available via `npm audit fix" message:

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/tar

tmp  <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
fix available via `npm audit fix`
node_modules/tmp

undici  <=5.28.5
Severity: high
undici before v5.8.0 vulnerable to CRLF injection in request headers - https://github.com/advisories/GHSA-3cvr-822r-rqcc
undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect - https://github.com/advisories/GHSA-q768-x9m6-m9qp
Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type - https://github.com/advisories/GHSA-f772-66g8-q5h3
`undici.request` vulnerable to SSRF using absolute URL on `pathname` - https://github.com/advisories/GHSA-8qr4-xgw6-wmr3
Regular Expression Denial of Service in Headers - https://github.com/advisories/GHSA-r6ch-mqf9-qc9w
CRLF Injection in Nodejs ‘undici’ via host - https://github.com/advisories/GHSA-5r9g-qh6m-jxff
Undici's cookie header not cleared on cross-origin redirect in fetch - https://github.com/advisories/GHSA-wqq4-5wpv-mx2g
Undici proxy-authorization header not cleared on cross-origin redirect in fetch - https://github.com/advisories/GHSA-3787-6prv-h9w3
Use of Insufficiently Random Values in undici - https://github.com/advisories/GHSA-c76h-2ccp-4975
undici Denial of Service attack via bad certificate data - https://github.com/advisories/GHSA-cxrh-j4jr-qwg3
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect - https://github.com/advisories/GHSA-9qxr-qj54-h672
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline - https://github.com/advisories/GHSA-m4v8-wqvr-p9f7
fix available via `npm audit fix`
node_modules/undici

10 vulnerabilities (1 low, 1 moderate, 8 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

All dependencies mentioned above are transitive ones, it means none of them has been directly installed thus none of them listed in package.json.

Executing npm audit fix. As you see the message is completely the same, and the number of vulnerabilities has not changed:

Why nothing has changed?

Versions:

• Node.js: 22.15.0 (current Maintenance LTS)

• npm: 10.9.0

This probably means that the dependencies do have a fix (hence the fix available), but given dependencies tree in your project doesn't allow the automatic fix (for example, parent dependency doesn't have a version which uses dependency with available fix), which leads to the part here: Some issues need review, and may require choosing a different dependency, which probably also means you have some dependencies with No fix available.

So, you'll probably need to dig around with npm ls and replace dependencies.

The reporting audit fix loop is reported as an issue with npm that goes way back, and suggested workaround is to update vulnerable dependencies by hand.

[BUG] npm audit fix doesn't work #3472

and some recent:

[BUG] npm audit fix only reports and doesn't fix #7123

[BUG] npm 7.6.0 audit fix --force recommends running npm audit fix --force (the same command) to fix issues. #2798