pip-audit --fix: Upgrade Vulnerable Packages
pip-audit --fix upgrades vulnerable packages to the nearest fixed version; with -r it rewrites the requirements file, and --dry-run previews the changes.
The --fix flag is pip-audit's remediation mode. It applies the upgrade that clears each advisory, either in the environment or in a pinned requirements file.
What it does
pip-audit --fix installs the fixed version for each vulnerable package; combined with -r requirements.txt it rewrites the pins in that file. --dry-run --fix prints the planned upgrades without applying them. It can only fix advisories that have a known fixed version.
Common usage
# preview the upgrades
pip-audit --fix --dry-run
# rewrite pins in a requirements file
pip-audit -r requirements.txt --fixOptions
| Flag | What it does |
|---|---|
| --fix | Upgrade vulnerable packages to a fixed version |
| --dry-run | Show what would change without applying it |
| -r <file> | Rewrite pins in this requirements file |
| --ignore-vuln <id> | Skip an advisory that has no acceptable fix |
In CI
As with npm audit fix, do not auto-apply --fix in a gate; it mutates pins and can pull in incompatible versions. Gate with plain pip-audit and run --fix in a scheduled job that opens a PR. Pair --fix --dry-run in CI to surface available fixes without changing the tree.
Common errors in CI
"Unable to fix" for an advisory means no fixed version exists yet; ignore it with --ignore-vuln and track upstream. A post-fix test failure means an upgraded package changed behavior; pin it and upgrade deliberately. --fix needs network to download the new wheels, so it fails on an offline runner.