socket fix

The socket fix command automatically upgrades vulnerable dependencies in your project to secure versions, using intelligent upgrade planning to minimize the risk of breaking changes.

socket fix --help

  Fix CVEs in dependencies

  Usage
    $ socket fix [options] [CWD=.]

  API Token Requirements
    - Quota: 101 units
    - Permissions: full-scans:create and packages:list

  Options
    --autopilot         Enable auto-merge for pull requests that Socket opens.
                        See GitHub documentation (https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository) for managing auto-merge for pull requests in your repository.
    --id                Provide a list of vulnerability identifiers to compute fixes for:
                            - GHSA IDs (https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids) (e.g., GHSA-xxxx-xxxx-xxxx)
                            - CVE IDs (https://cve.mitre.org/cve/identifiers/) (e.g., CVE-2025-1234) - automatically converted to GHSA
                            - PURLs (https://github.com/package-url/purl-spec) (e.g., pkg:npm/[email protected]) - automatically converted to GHSA
                            Can be provided as comma separated values or as multiple flags
    --json              Output as JSON
    --limit             The number of fixes to attempt at a time (default 10)
    --markdown          Output as Markdown
    --minimum-release-age  Set a minimum age requirement for suggested upgrade versions (e.g., 1h, 2d, 3w). A higher age requirement reduces the risk of upgrading to malicious versions. For example, setting the value to 1 week (1w) gives ecosystem maintainers one week to remove potentially malicious versions.
    --no-apply-fixes    Compute fixes only, do not apply them. Logs what upgrades would be applied. If combined with --output-file, the output file will contain the upgrades that would be applied.
    --no-major-updates  Do not suggest or apply fixes that require major version updates of direct or transitive dependencies
    --output-file       Path to store upgrades as a JSON file at this path.
    --range-style       Define how dependency version ranges are updated in package.json (default 'preserve').
                        Available styles:
                          * pin - Use the exact version (e.g. 1.2.3)
                          * preserve - Retain the existing version range style as-is
    --show-affected-direct-dependencies  List the direct dependencies responsible for introducing transitive vulnerabilities and list the updates required to resolve the vulnerabilities

  Environment Variables (for CI/PR mode)
    CI                          Set to enable CI mode
    SOCKET_CLI_GITHUB_TOKEN     GitHub token for PR creation (or GITHUB_TOKEN)
    SOCKET_CLI_GIT_USER_NAME    Git username for commits
    SOCKET_CLI_GIT_USER_EMAIL   Git email for commits

  Examples
    $ socket fix
    $ socket fix --id CVE-2021-23337
    $ socket fix ./path/to/project --range-style pin

Overview

Socket Fix gives developers a faster, safer way to clear vulnerabilities without endless manual upgrades. With Socket Fix, you can now:

Target specific vulnerabilities - Fix the CVEs that matter most to your team
Apply fixes locally - Test changes before committing
Support multiple ecosystems - Works with npm, pnpm, Yarn, Maven and many more
Use intelligent upgrade planning - Finds the least disruptive upgrade path

How Socket Fix Works

Socket Fix uses an advanced compute-and-apply fix engine to intelligently resolve vulnerabilities:

Scans your dependencies - Identifies all vulnerable packages in your project
Computes upgrade paths - Determines the minimal set of changes needed to fix vulnerabilities
Applies updates - Modifies your manifest and lock files with the secure versions

Example Fix Scenario

Suppose your application depends on [email protected]\:

This version has a dependency constraint of ^1.3.0 on estree-util-value-to-estree (link)
A vulnerability (GHSA-f7f6-9jq7-3rqj) affects all versions of estree-util-value-to-estree below 3.3.3
The patched [email protected] updates its constraint to ^3.3.3 (link)
Socket Fix automatically upgrades to [email protected] to resolve the vulnerability

Usage

Target Specific Vulnerabilities

Fix only specific CVEs or GHSA advisories using the --id flag:

# Fix a specific GHSA
$ socket fix --id GHSA-hhq3-ff78-jv3g

# Fix multiple vulnerabilities
$ socket fix --id GHSA-xxxx-xxxx-xxxx,GHSA-yyyy-yyyy-yyyy

# Using multiple flags
$ socket fix --id GHSA-xxxx-xxxx-xxxx --id GHSA-yyyy-yyyy-yyyy

Fix all CVEs

Run socket fix in your project directory to automatically fix all fixable vulnerabilities:

$ socket fix

Notice: Use this mode with care. Upgrading many dependencies simultaneously makes it difficult to uncover the culprit if something breaks.

Developer Workflow

The developer-friendly workflow makes it easy to apply fixes locally:

Run Socket Fix in your project directory
Review the changes to your manifest and lock files
Test your application to ensure everything still works
Open a pull request with the changes

This workflow allows you to:

Apply fixes locally before committing
Test changes thoroughly
Maintain control over what gets merged
Document security updates in your commit history

Create and Merge PRs (Autopilot Mode)

Run socket fix --autopilot in a GitHub action to automatically create PRs with the fixes that merge automatically if all checks pass.

Below is an example of how to set up the autopilot fix to run twice a day for a pnpm project:

name: Socket Fix
on:
  schedule:
    - cron: '0 0 * * *'
    - cron: '0 12 * * *'
permissions:
  contents: write
  pull-requests: write
jobs:
  socket-fix:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8

      - name: Setup pnpm
        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda
        with:
          version: '^10.16.0'

      - name: Setup Node.js with pnpm cache
        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444
        with:
          node-version: "22"
          cache: 'pnpm'

      - name: Install dependencies
        shell: bash
        run: >
          pnpm dlx @socketsecurity/cli pnpm install --config '{"issueRules":{"malware":true}}'

      - name: Run Socket Fix CLI
        env:
          SOCKET_CLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SOCKET_CLI_GIT_USER_EMAIL: socket-fix[bot]@users.noreply.github.com
          SOCKET_CLI_GIT_USER_NAME: socket-fix[bot]
          SOCKET_CLI_API_TOKEN: ${{ secrets.SOCKET_CLI_API_TOKEN }}
        run: pnpm dlx @socketsecurity/cli fix --autopilot

Options

--id

Target specific vulnerabilities by their identifiers:

GHSA IDs: GitHub Security Advisory Database identifiers

# Target a specific vulnerability
$ socket fix --id GHSA-f7f6-9jq7-3rqj

--limit

Control how many fixes to attempt at once (default: 10):

# Fix up to 5 vulnerabilities
$ socket fix --limit 5

# Fix up to 10 vulnerabilities
$ socket fix

--range-style

Define how dependency version ranges are updated:

preserve (default): Retains existing version range style
pin: Uses exact versions (e.g., 1.2.3 instead of ^1.2.3)

# Keep existing range style
$ socket fix --range-style preserve

# Pin to exact versions
$ socket fix --range-style pin

--no-major-updates

Do not suggest or apply fixes that require changing the major version number in direct or transitive dependencies. This option reduces the probability that a fix breaks the application, but it also increases the probability that Socket is unable to find a valid fix for a CVE.

socket fix --no-major-updates

--minimum-release-age

Set a minimum age requirement for suggested upgrade versions (e.g., 1h, 2d, 3w). A higher age requirement reduces the risk of updating to malicious package versions. For example, setting the value to 1 week (1w) gives ecosystem maintainers one week to remove potentially malicious versions from the ecosystem registry.

# Only update to package versions that are at least 3 days old
socket fix --minimum-release-age 3d

# Only update to package versions that are at least 2 weeks old
socket fix --minimum-release-age 2w

Output Formats

--json

Output results in JSON format for programmatic processing:

$ socket fix --json

--markdown

Output results in Markdown format for documentation:

$ socket fix --markdown

Getting Suggested Fixes

--no-apply-fixes

Computes the dependency upgrades necessary to fix the CVE, but does not apply the upgrades to the project. The suggested upgrades are printed to the console.

socket fix --no-apply-fixes

--output-file

Specify the file path where upgrades should be stored. The path must point to a file with a .json extension.

socket fix --output-file suggested-fixes.json

--show-affected-direct-dependencies

Shows you which direct dependencies introduced CVEs in transitive or direct dependencies.

# Show affected direct dependencies
socket fix --show-affected-direct-dependencies --id GHSA-6chw-6frg-f759,GHSA-v6h2-p8h4-qcjw --output-file fixes.json

# Upgrade the direct dependency, acorn, to version 5.7.4 to fix vulnerability GHSA-6chw-6frg-f759.
# Upgrade transitive dependency, brace-expansion, to version 1.1.12 to fix GHSA-v6h2-p8h4-qcjw. No direct dependency upgrades are required.
cat fixes.json
{
  "type": "only-direct-dependency-upgrades",
  "fixes": {
    "GHSA-6chw-6frg-f759": {
      "directDependencies": [
        {
          "purl": "pkg:npm/[email protected]",
          "fixedVersion": "5.7.4"
        }
      ]
    },
    "GHSA-v6h2-p8h4-qcjw": {
      "directDependencies": [
        {
          "purl": "pkg:npm/[email protected]",
          "transitiveFixes": [
            {
              "purl": "pkg:npm/[email protected]",
              "fixedVersion": "1.1.12"
            }
          ]
        }
      ]
    }
  }
}

Supported Ecosystems

Socket Fix supports:

C# (Nuget - packages.lock.json support is coming later)
Golang (go.sum/go.mod)
Java (Maven, Gradle with gradle.lockfile)
JavaScript/TypeScript (npm, pnpm v6 or newer, Yarn classic and berry)
Python (uv with uv.lock and requirements.txt)
Ruby (RubyGems)
Rust (Cargo)

Coming Soon:

Scala (SBT)

API Token Requirements

To use socket fix, your API token needs:

Quota: 101 units per execution
Permissions:
- full-scans:create - to scan your dependencies
- packages:list - to retrieve package information

Examples

Fix all vulnerabilities in current directory

$ socket fix

Fix vulnerabilities in a specific project

$ socket fix ./proj/tree

Target high-priority CVEs

$ socket fix --id GHSA-hhq3-ff78-jv3g

Generate a fix report

$ socket fix --markdown > security-fixes.md

Conservative approach with exact versions

$ socket fix --limit 1 --range-style pin

Best Practices

Test locally first - Run Socket Fix locally and test before pushing changes
Use version control - Commit before running Socket Fix for easy rollback
Review changes - Always review what Socket Fix changed in your dependencies
Incremental updates - Use --limit or --id for gradual updates in large projects

Notes

Socket Fix respects your project's .gitignore file
Only dependencies with known safe fixes are updated
The command will not downgrade packages
The fix engine uses sophisticated upgrade planning to minimize breaking changes