This error occurs when apt attempts to upgrade a package marked as held while using -y (automatic yes), but the --allow-change-held-packages flag was not provided. Held packages are protected from automatic changes to prevent dependency conflicts.
When you use apt-mark hold on a package, you're telling APT to protect that package from being automatically upgraded, downgraded, or removed during standard apt upgrade or apt dist-upgrade operations. This is useful when a package has version-specific requirements or compatibility constraints. However, when APT detects that a held package needs to be changed to satisfy dependencies during an upgrade (especially when run with -y for automatic approval), it refuses the operation with this error. This is a safety mechanism to ensure held packages aren't modified without explicit user consent. The error specifically requires the --allow-change-held-packages flag to bypass this protection, forcing APT to acknowledge that you understand the held package may be modified.
First, see what packages have been marked as held on your system:
apt-mark showholdThis lists all packages currently protected from changes. Review this list to understand what's being held.
If you want to proceed with the upgrade while modifying held packages, add the --allow-change-held-packages flag:
sudo apt upgrade --allow-change-held-packages -yor with apt-get:
sudo apt-get upgrade --allow-change-held-packages -yIf you no longer need a package to be held, remove the hold:
sudo apt-mark unhold package-nameFor multiple packages:
sudo apt-mark unhold package1 package2 package3To remove all holds at once:
sudo apt-mark unhold $(sudo apt-mark showhold)Use this carefully if you're unsure why packages were held.
If using unattended-upgrades, modify the config to allow held package changes:
sudo nano /etc/apt/apt.conf.d/50unattended-upgradesAdd or ensure this line exists:
Unattended-Upgrade::Allow-Change-Held-Packages "true";Why packages are held:
Packages are often held to prevent breaking changes. Common reasons include:
- Version-specific application requirements (e.g., holding a database version for compatibility)
- Custom builds or patches that don't exist in repositories
- Testing upgrades in a staged manner
- Avoiding security tool updates that require configuration changes
Held packages vs broken packages:
Don't confuse "held packages" with "held broken packages". Held broken packages indicate unmet dependencies—these require apt install -f to fix.
Dependency resolution risk:
When you allow held packages to be changed, APT may upgrade them to versions that have different behavior or configuration requirements. Test upgrades in a non-production environment first.
Container and CI/CD contexts:
In Docker builds or CI pipelines, you may inherit held packages from base images or previous layers. Always check apt-mark showhold before upgrading, or explicitly unhold packages you want to update.
E: Could not connect to proxy server
Could not connect to proxy server
E: Package 'package:i386' has no installation candidate
How to fix "Package package:i386 has no installation candidate" in apt
E: The value 'value' is invalid for APT::Default-Release
How to fix invalid APT::Default-Release value in APT
dpkg: error: unable to create new file 'path': Permission denied
How to fix dpkg permission denied errors in APT
subprocess installed post-removal script returned error exit status 1
How to fix "subprocess installed post-removal script returned error exit status 1" in APT