npm audit fix
is intended to automatically upgrade / fix vulnerabilities in npm packages. However, I haven't found out what it exactly does to fix those vulnerabilities.
I assumed that npm audit fix
would upgrade dependencies and dependencies' dependencies to the latest versions that are allowed by the semver-definitions of the packages – effectively the same as rm package-lock.json; npm install
. However npm audit fix
still performs a lot of changes after lock file removal + reinstall.
What exactly does npm audit fix
do? Does it for example install versions of dependencies newer than those allowed by the corresponding package.json
(but still semver-compatible)?
If no security vulnerabilities are found, this means that packages with known vulnerabilities were not found in your package dependency tree. Since the advisory database can be updated at any time, we recommend regularly running npm audit manually, or adding npm audit to your continuous integration process.
The npm audit command submits a description of the dependencies configured in your package to your default registry and asks for a report of known vulnerabilities. npm audit checks direct dependencies, devDependencies, bundledDependencies, and optionalDependencies, but does not check peerDependencies.
You can skip auditing at all by adding the --no-audit flag.
Also note that since npm audit fix runs a full-fledged npm install under the hood, all configs that apply to the installer will also apply to npm install -- so things like npm audit fix --package-lock-only will work as expected. By default, the audit command will exit with a non-zero code if any vulnerability is found.
package.json - What does "npm audit fix" exactly do? - Stack Overflow What does "npm audit fix" exactly do? Bookmark this question. Show activity on this post. npm audit fix is intended to automatically upgrade / fix vulnerabilities in npm packages. However, I haven't found out what it exactly does to fix those vulnerabilities.
You can also have npm automatically fix the vulnerabilities by running npm audit fix. Note that some vulnerabilities cannot be fixed automatically and will require manual intervention or review.
Once it receives a response from the registry, NPM begins the process of fixing those vulnerabilities. The response from NPM outlines the actions to be taken regarding vulnerabilities in your dependencies. The response body looks something like this:
From NPM's site on their audit command:
npm audit fix
runs a full-fledgednpm install
under the hood
And it seems that an audit fix only does semver-compatible upgrades by default. Listed earlier in the document:
Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones:
$ npm audit fix --force
As for the lock file, it is regenerated each time you run a command that changes package.json
. There is more information about that in an answer here as well as in the official documentation.
In my understanding is not only "upgrading" but sometimes also downgrading in order to install the stable version that fix the issue, sometimes those issues comes in newer versions that maybe have introduced bugs or simply do not match with previous package's API etc.
E.g in my case for example npm install have upgrade react-script to 5.0.0 that has some issue and after have run:
npm audit fix --force
The force flag does : To address all issues (including breaking changes), run: npm audit fix --force
it installed the 3.0.1 with following message:
npm WARN audit Updating react-scripts to 3.0.1,which is a SemVer major change.
So it does the upgrade to the stable version of that package that fix the issue.
On top, though docs state "is running npm install under the hood" but not in the sense of installing newest version of a dependency, but could be useful also to check what happens with npm ci What is the difference between "npm install" and "npm ci"?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With