dpndncY

Auto-fix pull requests

Finding a vulnerability is half the job. dpndncY opens the fix: a pull/merge request that bumps the dependency, patches both the manifest and the lockfile, explains the breaking-change risk, and links the full evidence bundle — on GitHub, GitLab, or self-hosted.

What an auto-fix PR contains

  • Patched manifest — the version bump in your declaration file (9 formats).
  • Regenerated lockfile — the exact transitive graph re-pinned (7 formats).
  • Breaking-change analysis — semver-aware diff + API-surface impact in the description (details).
  • Evidence — the advisory, signal stack (KEV/EPSS/ExploitDB), and decision tier, linked.

Flows

ModeBehaviour
Per-findingOne PR per vulnerability — easy to review and revert.
BulkBatch compatible bumps into a single PR to reduce churn.

Configuration

  • Connect the SCM (GitHub / GitLab, including self-hosted).
  • Set the target branch and default reviewers.
  • Choose which decision tiers auto-open PRs (e.g. Patch-Now automatically, Sprint on demand).
Stays current during review
If the base branch advances while a fix PR is open, dpndncY re-bases and re-resolves the lockfile so the PR doesn’t go stale.

See also