Manifest patching
The manifest patcher edits your dependency declaration to the fixed version, in place, across 9 formats — preserving comments, ordering, and formatting so the diff is minimal and reviewable.
Supported manifests
package.json · requirements.txt · pom.xml · go.mod · Cargo.toml · packages.config · composer.json · Gemfile · build.gradle
How it patches
- Semver-aware bumps — chooses the minimal version that clears the advisory while respecting your declared range style (caret, tilde, pin).
- Workspace / monorepo aware — handles Yarn / pnpm workspaces and multi-module builds.
- Conflict detection — flags when a bump would create a resolution conflict instead of silently breaking the graph.
- Format-preserving — keeps comments, key order, and whitespace so the PR diff is just the version.
Manifest + lockfile move together
Patching the manifest alone leaves the lockfile pinning the old version. dpndncY regenerates the lockfile in the same PR so the fix is actually applied.