2

There is something I don't understand with how npm audit fix works. From the docs:

npm audit fix runs a full-fledged npm install under the hood

So why when I run npm install and see audit vulnerabilities do I have to run npm audit fix manually to fix them?

Mureinik
  • 297,002
  • 52
  • 306
  • 350
nrofis
  • 8,975
  • 14
  • 58
  • 113

1 Answers1

1

npm install without any arguments will just install the dependencies in your package-lock.json (assuming it exists). npm audit fix will use the audit information to figure out what dependencies need to be upgraded and install them, as long as they don't conflict with your package.json.

Mureinik
  • 297,002
  • 52
  • 306
  • 350
  • As far as I know, `npm install` install dependencies in `package.json` and `npm ci` install dependencies in `package-lock.json`. So what is the difference between `npm install` and `npm ci`? – nrofis Jun 23 '21 at 20:37
  • Moreover, if I have both `package.json` and `package-lock.json` and manually change the `package.json` and run `npm install` it will use the new version from `package.json` that I've just edited... – nrofis Jun 23 '21 at 20:39
  • @nrofis see here: https://stackoverflow.com/q/52499617/2422776 – Mureinik Jun 23 '21 at 20:39