Lockfile patching
The lockfile is what actually gets installed. dpndncY re-pins it to the fixed version across 7 formats, recomputes integrity hashes, and keeps the change as surgical as the ecosystem allows.
Supported lockfiles
package-lock.json · yarn.lock · pnpm-lock.yaml · poetry.lock · Pipfile.lock · Cargo.lock · Gemfile.lock
Strategy
- Surgical when safe — for a transitive bump that doesn’t ripple, dpndncY edits only the affected entries.
- Full re-resolution when needed — when the change affects the graph, it re-resolves to produce a correct, consistent lockfile.
- Integrity hashes — recomputed and verified so the lockfile stays valid and reproducible.
- Shared-dependency ordering — when several findings touch the same dependency, fixes are ordered to avoid conflicting PRs.
Verify the build after a fix
A lockfile bump can pull a new transitive graph. The auto-fix PR is a starting point — your CI (and the next dpndncY scan on the PR branch) confirms it builds and clears the finding.