92

npm audit fix is intended to automatically upgrade / fix vulnerabilities in npm packages. However, I haven't found out what it exactly does to fix those vulnerabilities.

I assumed that npm audit fix would upgrade dependencies and dependencies' dependencies to the latest versions that are allowed by the semver-definitions of the packages – effectively the same as rm package-lock.json; npm install. However npm audit fix still performs a lot of changes after lock file removal + reinstall.

What exactly does npm audit fix do? Does it for example install versions of dependencies newer than those allowed by the corresponding package.json (but still semver-compatible)?

Sampo
  • 4,308
  • 6
  • 35
  • 51

2 Answers2

56

From NPM's site on their audit command:

npm audit fix runs a full-fledged npm install under the hood

And it seems that an audit fix only does semver-compatible upgrades by default. Listed earlier in the document:

Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones:

$ npm audit fix --force

As for the lock file, it is regenerated each time you run a command that changes package.json. There is more information about that in an answer here as well as in the official documentation.

danronmoon
  • 3,814
  • 5
  • 34
  • 56
Noah May
  • 1,049
  • 8
  • 18
  • 5
    Most of the time do not do this. Running audit fix will update some of the packages but not all their dependencies which can causes run time errors. – CharithJ Feb 02 '21 at 23:58
  • 4
    Since `npm audit fix` runs `npm install`, I would think it would update sub-dependencies (unless npm install does not either). Idk though. I haven't kept up with nodejs for a while. – Noah May Feb 03 '21 at 04:45
14

In my understanding is not only "upgrading" but sometimes also downgrading in order to install the stable version that fix the issue, sometimes those issues comes in newer versions that maybe have introduced bugs or simply do not match with previous package's API etc.

E.g in my case for example npm install have upgrade react-script to 5.0.0 that has some issue and after have run:

npm audit fix --force

The force flag does : To address all issues (including breaking changes), run: npm audit fix --force

it installed the 3.0.1 with following message:

npm WARN audit Updating react-scripts to 3.0.1,which is a SemVer major change.

So it does the upgrade to the stable version of that package that fix the issue.

On top, though docs state "is running npm install under the hood" but not in the sense of installing newest version of a dependency, but could be useful also to check what happens with npm ci What is the difference between "npm install" and "npm ci"?

Carmine Tambascia
  • 1,628
  • 2
  • 18
  • 32