diff --git a/.github/workflows/npm-audit-fix.yml b/.github/workflows/npm-audit-fix.yml
new file mode 100644
index 0000000000..1fa29eaf35
--- /dev/null
+++ b/.github/workflows/npm-audit-fix.yml
@@ -0,0 +1,48 @@
+name: NPM Audit Fix
+
+on:
+  push:
+    branches:
+      - master
+
+permissions:
+  contents: write
+
+jobs:
+  npm-audit-fix:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Run npm audit fix across packages
+        run: npm run audit-fix
+
+      - name: Detect changes
+        id: changes
+        run: |
+          if git status --porcelain | grep .; then
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Commit changes
+        if: steps.changes.outputs.has_changes == 'true'
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add -A
+          git commit -m "chore: npm audit fix"
+
+      - name: Push changes
+        if: steps.changes.outputs.has_changes == 'true'
+        run: |
+          git push origin HEAD
diff --git a/npm-audit-fix.sh b/npm-audit-fix.sh
new file mode 100644
index 0000000000..a288245b5b
--- /dev/null
+++ b/npm-audit-fix.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+set -o nounset
+set -o pipefail
+
+ROOT_DIR="$(pwd)"
+EXIT_CODE=0
+
+while IFS= read -r -d '' package_json; do
+    PROJECT_DIR="$(dirname "$package_json")"
+    DISPLAY_DIR="${PROJECT_DIR#./}"
+
+    echo "Running npm audit fix in ${DISPLAY_DIR:-.}"
+
+    if ! cd "$PROJECT_DIR"; then
+        echo "Skipping ${DISPLAY_DIR:-.}: cannot change directory" >&2
+        EXIT_CODE=1
+        continue
+    fi
+
+    if [ ! -f "package-lock.json" ] && [ ! -f "npm-shrinkwrap.json" ]; then
+        echo "Skipping ${DISPLAY_DIR:-.}: no package-lock.json or npm-shrinkwrap.json"
+        cd "$ROOT_DIR"
+        continue
+    fi
+
+    if ! npm audit fix; then
+        echo "npm audit fix failed in ${DISPLAY_DIR:-.}" >&2
+        EXIT_CODE=1
+    fi
+
+    cd "$ROOT_DIR"
+done < <(find . -name package.json -not -path '*/node_modules/*' -print0)
+
+exit $EXIT_CODE
diff --git a/package.json b/package.json
index 0104178419..5cbdbeceb0 100644
--- a/package.json
+++ b/package.json
@@ -38,6 +38,7 @@
         "uninstall": "bash uninstall.sh",
         "clean-modules": "bash remove-node-modules.sh",
         "install-modules": "bash install-node-modules.sh",
+        "audit-fix": "bash npm-audit-fix.sh",
         "lint": "export NODE_OPTIONS='--max-old-space-size=32768' && npx eslint . --cache",
         "fix-lint": "export NODE_OPTIONS='--max-old-space-size=32768' && npx eslint . --fix --cache --debug",
         "fix": "npm run fix-lint",