Auto-fix pull requests
Finding a vulnerability is half the job. dpndncY opens the fix: a pull/merge request that bumps the dependency, patches both the manifest and the lockfile, explains the breaking-change risk, and links the full evidence bundle — on GitHub, GitLab, or self-hosted.
What an auto-fix PR contains
- Patched manifest — the version bump in your declaration file (9 formats).
- Regenerated lockfile — the exact transitive graph re-pinned (7 formats).
- Breaking-change analysis — semver-aware diff + API-surface impact in the description (details).
- Evidence — the advisory, signal stack (KEV/EPSS/ExploitDB), and decision tier, linked.
Flows
| Mode | Behaviour |
|---|---|
| Per-finding | One PR per vulnerability — easy to review and revert. |
| Bulk | Batch compatible bumps into a single PR to reduce churn. |
Configuration
- Connect the SCM (GitHub / GitLab, including self-hosted).
- Set the target branch and default reviewers.
- Choose which decision tiers auto-open PRs (e.g. Patch-Now automatically, Sprint on demand).
Stays current during review
If the base branch advances while a fix PR is open, dpndncY re-bases and re-resolves the lockfile so the PR doesn’t go stale.