npm audit fix: Auto-Upgrade Vulnerable Deps
npm audit fix upgrades vulnerable dependencies to a non-breaking patched version, rewriting package-lock.json; --force allows semver-major bumps.
audit fix is the remediation half of npm audit. It applies the fixes it can do safely within your declared semver ranges, and warns about the rest.
What it does
npm audit fix resolves advisories to patched versions and installs them, updating package-lock.json. Fixes outside your semver ranges are not applied unless you add --force, which can introduce breaking changes. --dry-run shows what it would do without writing.
Common usage
npm audit fix --dry-run
npm audit fix
# allow potentially breaking major upgrades
npm audit fix --forceOptions
| Flag | What it does |
|---|---|
| --dry-run | Report the changes without applying them |
| --force | Allow semver-major (possibly breaking) upgrades |
| --only=prod | Fix only production dependencies |
| --package-lock-only | Update the lockfile without installing |
In CI
Do NOT run npm audit fix as a gate; it mutates the lockfile and --force can break the build with major bumps. Use npm audit --audit-level=high to gate, and run audit fix locally or in a scheduled job that opens a PR for review. Treat --force output as a suggestion, not an automatic change.
Common errors in CI
A build that suddenly breaks after audit fix --force is a semver-major upgrade landing an API change; pin the offending dep and upgrade deliberately. "fixed 0 of N vulnerabilities" means the rest need manual upgrades or have no fix yet. audit fix needs network and a lockfile; it errors offline or without package-lock.json.