npm audit fix
is intended to automatically upgrade / fix vulnerabilities in npm packages. However, I haven't found out what it exactly does to fix those vulnerabilities.
I assumed that npm audit fix
would upgrade dependencies and dependencies' dependencies to the latest versions that are allowed by the semver-definitions of the packages – effectively the same as rm package-lock.json; npm install
. However npm audit fix
still performs a lot of changes after lock file removal + reinstall.
What exactly does npm audit fix
do? Does it for example install versions of dependencies newer than those allowed by the corresponding package.json
(but still semver-compatible)?
From NPM's site on their audit command:
npm audit fix
runs a full-fledgednpm install
under the hood
And it seems that an audit fix only does semver-compatible upgrades by default. Listed earlier in the document:
Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones:
$ npm audit fix --force
As for the lock file, it is regenerated each time you run a command that changes package.json
. There is more information about that in an answer here as well as in the official documentation.