npm audit fix: Usage, Options & Common Errors
Automatically upgrade vulnerable dependencies.
npm audit fix installs compatible (in-range) updates that resolve advisories, rewriting node_modules and the lockfile. --force allows breaking upgrades.
What it does
Resolves and installs the minimum semver-compatible updates that clear advisories. Advisories that can only be fixed by a major bump are reported but skipped unless you pass --force, which may install breaking versions.
Common usage
npm audit fix # apply in-range fixes
npm audit fix --dry-run # preview changes
npm audit fix --force # allow breaking (major) upgrades
npm audit fix --omit=dev # production deps onlyCommon CI error: --force breaks the build
A CI auto-remediation that runs npm audit fix --force introduces a major version bump that breaks the app at build or runtime. Never run --force unattended in CI - generate a PR with --dry-run output, review it, and let tests catch the breakage before merge.
npm audit fix --dry-run # inspect, then PR - do not --force in CI