Recently our project upgraded to pnpm 11. While maintaining the project dependencies, I took a look at how pnpm audit --fix fixes vulnerabilities. pnpm audit itself is easy to understand: it checks whether dependencies in the lockfile match known vulnerabilities. But once --fix enters the picture, things become a little more subtle.