Skip to content
Latchkey

npm audit fix: Auto-Upgrade Vulnerable Deps

npm audit fix upgrades vulnerable dependencies to a non-breaking patched version, rewriting package-lock.json; --force allows semver-major bumps.

audit fix is the remediation half of npm audit. It applies the fixes it can do safely within your declared semver ranges, and warns about the rest.

What it does

npm audit fix resolves advisories to patched versions and installs them, updating package-lock.json. Fixes outside your semver ranges are not applied unless you add --force, which can introduce breaking changes. --dry-run shows what it would do without writing.

Common usage

Terminal
npm audit fix --dry-run
npm audit fix
# allow potentially breaking major upgrades
npm audit fix --force

Options

FlagWhat it does
--dry-runReport the changes without applying them
--forceAllow semver-major (possibly breaking) upgrades
--only=prodFix only production dependencies
--package-lock-onlyUpdate the lockfile without installing

In CI

Do NOT run npm audit fix as a gate; it mutates the lockfile and --force can break the build with major bumps. Use npm audit --audit-level=high to gate, and run audit fix locally or in a scheduled job that opens a PR for review. Treat --force output as a suggestion, not an automatic change.

Common errors in CI

A build that suddenly breaks after audit fix --force is a semver-major upgrade landing an API change; pin the offending dep and upgrade deliberately. "fixed 0 of N vulnerabilities" means the rest need manual upgrades or have no fix yet. audit fix needs network and a lockfile; it errors offline or without package-lock.json.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →