security
npm audit fix
Automatically installs compatible updates that resolve reported vulnerabilities without breaking your declared semver ranges. `--force` will accept SemVer-major bumps.
npm audit fix [--force] [--dry-run] Common flags
| Flag | Purpose |
|---|---|
| --force (-f) | Install SemVer-major fixes; may include breaking changes |
| --dry-run | Show what would change without modifying files |
| --only=prod | Fix production dependencies only |
| --json | Machine-readable report of what was fixed |
Examples
npm audit fix Apply all safe fixes within your semver ranges
npm audit fix --dry-run Preview which packages would be updated
npm audit fix --force Also accept breaking major-version upgrades
Gotcha
`--force` is destructive — it can cross major versions and silently break your app; always run tests afterwards and commit lockfile changes separately. For dev-only vulnerabilities, weigh whether to fix at all.
Related commands
npm audit
Submits the dependency tree to the registry's security advisory database and reports known vulnerabilities. Exits non-zero when problems at or above the audit level are found.
npm update
Updates packages to the newest version that still satisfies the semver range in package.json and refreshes package-lock.json. Without arguments, it tries every listed dependency.
npm ci
Performs a clean, deterministic install straight from package-lock.json (or npm-shrinkwrap.json) intended for CI environments. It deletes any existing node_modules and refuses to run if package.json and the lockfile are out of sync.