Autofix

Through the autofix it is possible to have vulnerable and/or outdated dependencies definitions within a project's manifest file(s) automatically fixed. Fixes are applied by updating a given dependency version based on the chosen strategy and reach plus additional options.

Supported manifest files

  • Gemfile/Gemfile.lock (Ruby)

  • composer.json/composer.lock (PHP)

  • pom.xml (Java/Maven)

  • *.msproj (.Net)

  • package.json/package-lock.json/yarn.lock (NodeJs)

  • Pipfile/Pipfile.lock (python)

Strategies

  • safe: update the dependency version number only with patch versions updates. This strategy is the least likely to introduce braking changes to your project. Patch version updates are used to apply backwards compatible bug fixes.

  • conservative: update the dependency version number with either minor or patch versions updates. This strategy could introduce breaking changes as, though backwards compatible, new features are introduced with minor version updates.

  • aggressive: update the dependency version number with either major, minor or patch versions updates. This strategy is the most likely to introduce breaking changes to your project. Major version updates make incompatible API changes.

Reach

  • all: update all dependencies according to the chosen strategy

  • vulns: only update vulnerable dependencies according to the chosen strategy

  • dated: only update outdated dependencies according to the chosen strategy

  • parent: only update parent dependencies according to the chosen strategy

Additional options

  • no-overrides: do not override dependencies (by default they are overridden)

  • readonly: only simulate fixes, do not apply them to actual manifest files

Example usage

You can instruct the client to perform the autofix with the --autofix flag. You can provide comma separated programs which are essentially a combination of preferred strategies, reaches and additional options aggregated with the + symbol.

--autofix:conservative+vulns,safe+dated+no-overrides

In this example the autofix will perform 2 programs consecutively.

  • #1 program: vulnerable dependencies will be updated with either minor or patch version updates according to the safest versions available prioritising minor versions over patch versions.

  • #2 program: all remaining outdated dependencies will be updated to the latest safest patch version without applying overrides.

If only issuing --autofix to the client, the default programs ran are

safe+vulns,safe+dated+no-overrides

Last updated