Autofix
Through the autofix it is possible to have vulnerable and/or outdated dependencies definitions within a project's manifest file(s) automatically fixed. Fixes are applied by updating a given dependency version based on the chosen strategy and reach plus additional options.
Supported manifest files
Gemfile/Gemfile.lock (Ruby)
composer.json/composer.lock (PHP)
pom.xml (Java/Maven)
*.msproj (.Net)
package.json/package-lock.json/yarn.lock (NodeJs)
Pipfile/Pipfile.lock (python)
Strategies
safe: update the dependency version number only with patch versions updates. This strategy is the least likely to introduce braking changes to your project. Patch version updates are used to apply backwards compatible bug fixes.
conservative: update the dependency version number with either minor or patch versions updates. This strategy could introduce breaking changes as, though backwards compatible, new features are introduced with minor version updates.
aggressive: update the dependency version number with either major, minor or patch versions updates. This strategy is the most likely to introduce breaking changes to your project. Major version updates make incompatible API changes.
Reach
all: update all dependencies according to the chosen strategy
vulns: only update vulnerable dependencies according to the chosen strategy
dated: only update outdated dependencies according to the chosen strategy
parent: only update parent dependencies according to the chosen strategy
Additional options
no-overrides: do not override dependencies (by default they are overridden)
readonly: only simulate fixes, do not apply them to actual manifest files
Example usage
You can instruct the client to perform the autofix with the --autofix flag. You can provide comma separated programs which are essentially a combination of preferred strategies, reaches and additional options aggregated with the + symbol.
In this example the autofix will perform 2 programs consecutively.
#1 program: vulnerable dependencies will be updated with either minor or patch version updates according to the safest versions available prioritising minor versions over patch versions.
#2 program: all remaining outdated dependencies will be updated to the latest safest patch version without applying overrides.
If only issuing --autofix to the client, the default programs ran are
Autofix + pull requests and issues
The usage of the autofix doesn't just stop there. When paired with the Meterian-pr tool, the outcome of the autofix can be used to open pull requests and/or issues on Git repositories hosted on specific version control platforms. Check the links below to find out more:
Last updated