npm audit found high severity vulnerabilities
Fix 'npm audit found N vulnerabilities (M high severity)'. Get a patched package.json with all high severity CVEs resolved.
⚠ Error Message
found 3 high severity vulnerabilities
Root Cause
One or more of your npm dependencies has a known HIGH or CRITICAL CVE. npm audit reports it but npm audit fix may not be able to resolve it without breaking changes.
How to Fix
- Paste your package.json into PackageFix to get a live CVE scan with safe fix versions.
- Review the severity badges — CRITICAL and HIGH packages on the CISA KEV catalog are flagged in red.
- Download the fixed package.json and run npm install to regenerate package-lock.json.
- For transitive vulnerabilities, use the npm overrides block PackageFix generates.
Scan your dependencies now — paste your manifest, get a fixed version back in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
Frequently Asked Questions
Why can't npm audit fix resolve high severity vulnerabilities?
npm audit fix only applies semver-compatible updates. If the fix requires a major version bump, it won't apply automatically to avoid breaking changes.
What does 'high severity' mean in npm audit?
HIGH severity corresponds to a CVSS score of 7.0–8.9. These can often be exploited remotely. Fix within your next release cycle.
How do I fix a high severity vulnerability in a transitive dependency?
Use npm overrides in package.json: {"overrides": {"vulnerable-package": "safe-version"}}. PackageFix generates this snippet.
What is the difference between HIGH and CRITICAL in npm audit?
HIGH = CVSS 7.0–8.9, CRITICAL = CVSS 9.0–10.0. Both require prompt remediation. CRITICAL should be fixed immediately.