Skip to content
Latchkey

pip-audit --fix: Upgrade Vulnerable Packages

pip-audit --fix upgrades vulnerable packages to the nearest fixed version; with -r it rewrites the requirements file, and --dry-run previews the changes.

The --fix flag is pip-audit's remediation mode. It applies the upgrade that clears each advisory, either in the environment or in a pinned requirements file.

What it does

pip-audit --fix installs the fixed version for each vulnerable package; combined with -r requirements.txt it rewrites the pins in that file. --dry-run --fix prints the planned upgrades without applying them. It can only fix advisories that have a known fixed version.

Common usage

Terminal
# preview the upgrades
pip-audit --fix --dry-run
# rewrite pins in a requirements file
pip-audit -r requirements.txt --fix

Options

FlagWhat it does
--fixUpgrade vulnerable packages to a fixed version
--dry-runShow what would change without applying it
-r <file>Rewrite pins in this requirements file
--ignore-vuln <id>Skip an advisory that has no acceptable fix

In CI

As with npm audit fix, do not auto-apply --fix in a gate; it mutates pins and can pull in incompatible versions. Gate with plain pip-audit and run --fix in a scheduled job that opens a PR. Pair --fix --dry-run in CI to surface available fixes without changing the tree.

Common errors in CI

"Unable to fix" for an advisory means no fixed version exists yet; ignore it with --ignore-vuln and track upstream. A post-fix test failure means an upgraded package changed behavior; pin it and upgrade deliberately. --fix needs network to download the new wheels, so it fails on an offline runner.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →