The Problem with Blind Upgrades

npm audit fix and its equivalents (pip install --upgrade, go get -u) follow a simple rule: find the lowest version that resolves the CVE, upgrade to it. The approach fails in three common ways:

  • Major version jumps β€” the fix requires upgrading from v2 to v3, which has breaking API changes. Your code breaks silently if tests are incomplete.
  • Transitive dependency conflicts β€” upgrading package A conflicts with the version of package B required by package C. The lockfile becomes inconsistent.
  • The vulnerability is in an unused code path β€” the fix is unnecessary and introduces risk for zero security benefit.

The npm audit fix --force problem: The --force flag overrides semver compatibility checks. Using it in production without understanding the breaking changes is effectively deploying untested code.

The AI Approach to Dependency Remediation

An AI-driven dependency remediation engine evaluates several dimensions before proposing a fix:

  1. Reachability analysis β€” is the vulnerable function actually called from your code? If not, the risk is near-zero and the fix can be deprioritised.
  2. Breaking change detection β€” parse the changelog and release notes of the target version. Identify API removals, signature changes, and behaviour changes that affect your usage.
  3. Usage pattern analysis β€” scan your codebase for all imports and usages of the vulnerable package. Map which breaking changes affect which usages.
  4. Compatibility scoring β€” calculate a confidence score for the upgrade: "This upgrade requires changing 3 call sites but no API changes affect your usage. Confidence: high."
  5. Fix strategy selection β€” choose from: bump version, pin to safe minor version, apply patch directly to vendored copy, replace with alternative library.

Breaking Change Analysis in Practice

For a lodash 4.17.15 β†’ 4.17.21 upgrade, the analysis is simple: no API changes, identical usage. Confidence: very high. For an express 4.x β†’ 5.x upgrade, the analysis is complex:

  • Callback-style route handlers are removed
  • app.del() is removed, use app.delete()
  • Error-handling middleware signature changed
  • Promise rejection handling changed

The AI engine scans your codebase, identifies which of these breaking changes affect your code, generates the necessary call site migrations, and produces a combined PR: version bump + migration code changes + updated tests.

This is the key differentiator: AI remediation can propose a major version upgrade with all the call site migrations bundled into a single, reviewable PR β€” something npm audit fix cannot do at all.

Upgrade Strategies

Four strategies, chosen by the AI based on analysis:

  • Clean bump β€” no API changes, no call site modifications needed. Auto-merge safe for tested packages.
  • Bump + migrate β€” breaking changes exist but affected call sites can be auto-migrated. PR includes both changes.
  • Patch (backport) β€” upgrade is impractical but a security patch can be applied to the current version. Useful for pinned major versions.
  • Replace β€” the package is abandoned, the vulnerability is unfixable, and an alternative library exists. AI generates the migration to the alternative.

Dependency Remediation at Scale

At 100+ repositories, manual dependency management is impossible. AI remediation enables:

  • Batch processing β€” identify the same vulnerability across 50 repos, generate 50 upgrade PRs simultaneously
  • Consistency enforcement β€” ensure all repos are on the same pinned safe version of shared internal packages
  • Prioritisation β€” CVSS Γ— EPSS Γ— reachability score determines which repos get remediation first
  • Rollup PRs β€” group all dependency fixes for a repo into a single PR rather than 20 separate ones

"At scale, the question is not 'can we fix this' but 'can we fix this consistently across 500 repos without breaking anything.' That is where AI remediation earns its place."