npm audit fix: Auto-Patch Vulnerabilities
npm audit fix rewrites your lockfile to pull in patched dependency versions.
audit fix is convenient but can introduce breaking changes with --force. In automation, run it on a branch and open a PR rather than mutating the main build.
Common flags
--force- allow major version bumps (risky)--dry-run- preview changes--package-lock-only- update the lockfile without installing
Example in CI
Preview fixes in a scheduled job, then open a PR.
shell
npm audit fix --dry-runIn CI
Never run audit fix --force in a blocking pipeline; it can swap in breaking majors. Prefer a bot (Dependabot/Renovate) that proposes reviewable updates.
Key takeaways
- Avoid
--forcein automated pipelines. - Use
--dry-runto preview. - Prefer a PR bot for reviewable updates.