Reputation: 5068
What does "npm audit fix" exactly do?
npm audit fix is intended to automatically upgrade / fix vulnerabilities in npm packages. However, I haven't found out what it exactly does to fix those vulnerabilities.
I assumed that npm audit fix would upgrade dependencies and dependencies' dependencies to the latest versions that are allowed by the semver-definitions of the packages – effectively the same as rm package-lock.json; npm install. However npm audit fix still performs a lot of changes after lock file removal + reinstall.
What exactly does npm audit fix do? Does it for example install versions of dependencies newer than those allowed by the corresponding package.json (but still semver-compatible)?
Upvotes: 123
Views: 198527
Answers (3)
Reputation: 1938
In my understanding is not only "upgrading" but sometimes also downgrading in order to install the stable version that fix the issue, sometimes those issues comes in newer versions that maybe have introduced bugs or simply do not match with previous package's API etc.
E.g in my case for example npm install have upgrade react-script to 5.0.0 that has some issue and after have run:
npm audit fix --force
The force flag does : To address all issues (including breaking changes), run: npm audit fix --force
it installed the 3.0.1 with following message:
npm WARN audit Updating react-scripts to 3.0.1,which is a SemVer major change.
So it did an downgrade to the stable version of that package that fix the issue where the APIs' library of A, B, C can communicate(be called and used between them).
On top, though docs state "is running npm install under the hood" but not in the sense of installing newest version of a dependency, but could be useful also to check what happens with npm ci What is the difference between "npm install" and "npm ci"?
Upvotes: 24
Reputation: 3
I had to use this command once, but failed to solve my redux hook error.
and I went back and typed the command one by one instead of all of them in once.
Upvotes: -4
Reputation: 1179
From NPM's site on their audit command:
npm audit fixruns a full-fledgednpm installunder the hood
And it seems that an audit fix only does semver-compatible upgrades by default. Listed earlier in the document:
Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones:
$ npm audit fix --force
As for the lock file, it is regenerated each time you run a command that changes package.json. There is more information about that in an answer here as well as in the official documentation.
Upvotes: 65
Related Questions
- Not modify package.json when doing npm audit fix
- How to fix npm vulnerabilities manually?
- How do I manually `npm audit fix` a single security issue?
- npm audit fix vs npm install
- How npm audit works?
- Difference between npm audit fix --force and - npm audit fix?
- npm audit fix not changing anything
- Where do NPM audit warnings come from?
- How to leverage npm audit?
- NPM Audit fixes