Documentation

socket fix

Update dependencies with fixable Socket alerts

Suggest Edits

The socket fix command automatically upgrades vulnerable dependencies in your project to secure versions, using intelligent upgrade planning to minimize the risk of breaking changes.

$ socket fix --help

  Update dependencies with "fixable" Socket alerts

  Usage
    $ socket fix [options] [CWD=.]

  API Token Requirements
    - Quota: 101 units
    - Permissions: full-scans:create and packages:list

  Options
    --autopilot         Enable auto-merge for pull requests that Socket opens.
                        See GitHub documentation (​https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository​) for managing auto-merge for pull requests in your repository.
    --id                Provide a list of vulnerability identifiers to compute fixes for:
                            - GHSA IDs (​https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids​) (e.g., GHSA-xxxx-xxxx-xxxx)
                            - CVE IDs (​https://cve.mitre.org/cve/identifiers/​) (e.g., CVE-2025-1234) - automatically converted to GHSA
                            - PURLs (​https://github.com/package-url/purl-spec​) (e.g., pkg:npm/[email protected]) - automatically converted to GHSA
                            Can be provided as comma separated values or as multiple flags
    --json              Output result as json
    --limit             The number of fixes to attempt at a time (default 10)
    --markdown          Output result as markdown
    --range-style       Define how dependency version ranges are updated in package.json (default 'preserve').
                        Available styles:
                          * pin - Use the exact version (e.g. 1.2.3)
                          * preserve - Retain the existing version range style as-is

  Examples
    $ socket fix
    $ socket fix ./proj/tree --auto-merge

Overview

Socket Fix gives developers a faster, safer way to clear vulnerabilities without endless manual upgrades. With Socket Fix, you can now:

  • Target specific vulnerabilities - Fix the CVEs that matter most to your team
  • Apply fixes locally - Test changes before committing
  • Support multiple ecosystems - Works with npm, pnpm, Yarn, Maven and many more
  • Use intelligent upgrade planning - Finds the least disruptive upgrade path

How Socket Fix Works

Socket Fix uses an advanced compute-and-apply fix engine to intelligently resolve vulnerabilities:

  1. Scans your dependencies - Identifies all vulnerable packages in your project
  2. Computes upgrade paths - Determines the minimal set of changes needed to fix vulnerabilities
  3. Applies updates - Modifies your manifest and lock files with the secure versions

Example Fix Scenario

Suppose your application depends on [email protected]\:

  • This version has a dependency constraint of ^1.3.0 on estree-util-value-to-estree (link)
  • A vulnerability (GHSA-f7f6-9jq7-3rqj) affects all versions of estree-util-value-to-estree below 3.3.3
  • The patched [email protected] updates its constraint to ^3.3.3 (link)
  • Socket Fix automatically upgrades to [email protected] to resolve the vulnerability

Usage

Target Specific Vulnerabilities

Fix only specific CVEs or GHSA advisories using the --id flag:

# Fix a specific GHSA
$ socket fix --id GHSA-hhq3-ff78-jv3g

# Fix multiple vulnerabilities
$ socket fix --id GHSA-xxxx-xxxx-xxxx,GHSA-yyyy-yyyy-yyyy

# Using multiple flags
$ socket fix --id GHSA-xxxx-xxxx-xxxx --id GHSA-yyyy-yyyy-yyyy

Fix all CVEs

Run socket fix in your project directory to automatically fix all fixable vulnerabilities:

$ socket fix

Notice: Use this mode with care. Upgrading many dependencies simultaneously makes it difficult to uncover the culprit if something breaks.

Developer Workflow

The developer-friendly workflow makes it easy to apply fixes locally:

  1. Run Socket Fix in your project directory
  2. Review the changes to your manifest and lock files
  3. Test your application to ensure everything still works
  4. Open a pull request with the changes

This workflow allows you to:

  • Apply fixes locally before committing
  • Test changes thoroughly
  • Maintain control over what gets merged
  • Document security updates in your commit history

Options

--id

Target specific vulnerabilities by their identifiers:

  • GHSA IDs: GitHub Security Advisory Database identifiers
# Target a specific vulnerability
$ socket fix --id GHSA-f7f6-9jq7-3rqj

--limit

Control how many fixes to attempt at once (default: 10):

# Fix up to 5 vulnerabilities
$ socket fix --limit 5

# Fix up to 10 vulnerabilities
$ socket fix

--range-style

Define how dependency version ranges are updated:

  • preserve (default): Retains existing version range style
  • pin: Uses exact versions (e.g., 1.2.3 instead of ^1.2.3)
# Keep existing range style
$ socket fix --range-style preserve

# Pin to exact versions
$ socket fix --range-style pin

Output Formats

--json

Output results in JSON format for programmatic processing:

$ socket fix --json

--markdown

Output results in Markdown format for documentation:

$ socket fix --markdown

Supported Ecosystems

Socket Fix supports:

  • JavaScript/TypeScript(npm, pnpm v6 or newer, Yarn classic and berry)

  • Golang (go.sum/go.mod)

  • Java(Maven, Gradle with gradle.lockfile)

  • C# (Nuget - packages.lock.json support is coming later)

  • Rust(Cargo)

Coming Soon:

  • Ruby (RubyGems)
  • Python (uv with uv.lock, pylock.toml, or requirements.txt)
  • Scala (SBT)

API Token Requirements

To use socket fix, your API token needs:

  • Quota: 101 units per execution
  • Permissions:
    • full-scans:create - to scan your dependencies
    • packages:list - to retrieve package information

Examples

Fix all vulnerabilities in current directory

$ socket fix

Fix vulnerabilities in a specific project

$ socket fix ./proj/tree

Target high-priority CVEs

$ socket fix --id GHSA-hhq3-ff78-jv3g

Generate a fix report

$ socket fix --markdown > security-fixes.md

Conservative approach with exact versions

$ socket fix --limit 1 --range-style pin

Best Practices

  1. Test locally first - Run Socket Fix locally and test before pushing changes
  2. Use version control - Commit before running Socket Fix for easy rollback
  3. Review changes - Always review what Socket Fix changed in your dependencies
  4. Incremental updates - Use --limit or --id for gradual updates in large projects

Notes

  • Socket Fix respects your project's .gitignore file
  • Only dependencies with known safe fixes are updated
  • The command will not downgrade packages
  • The fix engine uses sophisticated upgrade planning to minimize breaking changes

Updated about 2 hours ago