Hi Oliver,
Thanks for getting back to me. We're looking at tools that can help us generate pull requests for certain triaged vulnerabilities (could be based on EPSS or CVSS score, or require human judgement). Developers can see which tests/build errors are failing and fix them, otherwise just review & merge. We think this will help us maintain healthy patching pipelines for our projects. If that's successful, then we'll look at lowering the threshold for auto-patching.
If you folks are working on an experimental branch for npm or have beta versions, we'd love to try it out! For now we're evaluating if the solution:
- requires build tools (npm, mavn, pip) to detect transitive dependency, and generate new lock files. This is helpful to determine if the patch generation can be run anywhere, or has to be run in the existing project's CI/CD pipeline to avoid build breakage
- can provide structured output (which osv-scanner has) to parse/chain additional workflow
- has flexibility in terms of choosing patching parameters. So far we've determined there are a few strategies we'd like to pursue:
- direct version upgrade (similar to in-place lock file modification in your latest comment)
- direct + transitive version update (similar to direct dependency bumps)
- force version update/downgrade (specific to gradle, useful for when one of transitive dependency cannot be updated)
- direct version downgrade/removed (in case of typosquatting or malware)