Understanding npm audit and npm audit fix

Published on: June 23rd, 2025

If you’ve worked with npm (Node Package Manager) in JavaScript projects, you’ve probably seen warnings like:

        
        
          
            
          
          
            
          
        

        found 4 vulnerabilities (1 low, 2 moderate, 1 high)
run `npm audit fix` to fix them

1. What is npm audit?

npm audit is a built-in security tool that scans your project’s dependencies for known vulnerabilities.

How it works:

  • Checks package-lock.json or yarn.lock for installed packages.
  • Compares them against a database of security advisories (like GitHub Advisory Database).
  • Reports vulnerabilities with severity levels:
  • Low – Minor risk, unlikely to be exploited.
  • Moderate – Possible risk in specific cases.
  • High/Critical – Serious risk; should be fixed ASAP.

Run the following command on your terminal

        
        
          
            
          
          
            
          
        

        npm audit

And you should see:

        
        
          
            
          
          
            
          
        

        # npm audit report

tar-fs  <=2.1.2
Severity: high
Arbitrary File Overwrite - https://github.com/advisories/GHSA-xxxx
fix available via `npm audit fix`

2. Why Do Vulnerabilities Happen?

Most vulnerabilities come from:

  • Outdated packages – Older versions may have security flaws.
  • Transitive dependencies – A package you use depends on another vulnerable package.
  • Malicious packages – Rare, but some npm packages have hidden exploits.

Let's say you install package-A, which depends on [email protected]. Later, [email protected] is found to have a security flaw. Even though you didn’t install package-B directly, your project is still at risk.

3. How to Fix Vulnerabilities?

Option 1: npm audit fix (Automatic Fix)

        
        
          
            
          
          
            
          
        

         npm audit fix

Tries to update vulnerable packages to the minimum safe version. Only makes changes if it won’t break your app.

Option 2: npm audit fix --force (Aggressive Fix)

This may break your app by making major version jumps. Use with caution.

        
        
          
            
          
          
            
          
        

         npm audit fix --force

Option 3: Manual Updates

If npm audit fix doesn’t work. Find which dependency is causing the issue:

        
        
          
            
          
          
            
          
        

        npm why <vulnerable-package> # e.g., npm why tar-fs


Security warnings can be scary, but npm audit is your friend! It helps you catch issues before they become real problems.

  • For beginners: Start with npm audit fix.
  • For bigger projects: Monitor dependencies actively.