Skip to content
Latchkey

npm audit fix: Usage, Options & Common Errors

Automatically upgrade vulnerable dependencies.

npm audit fix installs compatible (in-range) updates that resolve advisories, rewriting node_modules and the lockfile. --force allows breaking upgrades.

What it does

Resolves and installs the minimum semver-compatible updates that clear advisories. Advisories that can only be fixed by a major bump are reported but skipped unless you pass --force, which may install breaking versions.

Common usage

Terminal
npm audit fix               # apply in-range fixes
npm audit fix --dry-run     # preview changes
npm audit fix --force       # allow breaking (major) upgrades
npm audit fix --omit=dev    # production deps only

Common CI error: --force breaks the build

A CI auto-remediation that runs npm audit fix --force introduces a major version bump that breaks the app at build or runtime. Never run --force unattended in CI - generate a PR with --dry-run output, review it, and let tests catch the breakage before merge.

.github/workflows/ci.yml
npm audit fix --dry-run     # inspect, then PR - do not --force in CI

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →