security

npm audit fix

Automatically installs compatible updates that resolve reported vulnerabilities without breaking your declared semver ranges. `--force` will accept SemVer-major bumps.

npm audit fix [--force] [--dry-run]

Common flags

Flag Purpose
--force (-f) Install SemVer-major fixes; may include breaking changes
--dry-run Show what would change without modifying files
--only=prod Fix production dependencies only
--json Machine-readable report of what was fixed

Examples

npm audit fix

Apply all safe fixes within your semver ranges

npm audit fix --dry-run

Preview which packages would be updated

npm audit fix --force

Also accept breaking major-version upgrades

Gotcha

`--force` is destructive — it can cross major versions and silently break your app; always run tests afterwards and commit lockfile changes separately. For dev-only vulnerabilities, weigh whether to fix at all.

Related commands

← All npm commands · npm vs pnpm vs Yarn · Fix Node OOM