Skip to main content
Commands

vg fix

Analyse drift and get ranked, risk-tiered upgrade plans — safe, balanced, and full — scored on real-world exploitability. Read-only until you choose to apply.

Overview

vg fix reads your drift — the gap between the versions you run and the latest stable releases — and returns three ranked upgrade plans, scored on real-world exploitability. It answers the question a plain outdated-dependency list can't: which upgrade should you do first?

vg fix is read-only by default. It never edits your project unless you explicitly apply a plan.

Hosted capability. Drift scoring and the code map are free and local. The ranked planner runs on Vibgrate's servers, so vg fix needs a login — run vg login once, or set a VIBGRATE_DSN. It sends dependency versions and aggregate usage signals only; it never uploads your source.


Usage

vg fix

Analyse the current directory. Pass a path to analyse elsewhere: vg fix packages/api.


The three plans

Each plan is a real, ordered set of upgrades with a risk score (0–100), the advisories it closes, and the DriftScore you would land on:

vg fix
Vibgrate fix — upgrade plan
12 drifted dependencies analysed
⚠ 2 packages carry a KNOWN-EXPLOITED (KEV) advisory, peak EPSS 74% — prioritise these.

● recommended  Low-risk — patch and minor updates only
    risk 12/100 low  ·  5 upgrades  ·  fixes 1 critical, 2 high  ·  DriftScore 58 → 54
○ Full — everything to latest stable
    risk 58/100 high  ·  12 upgrades  ·  DriftScore 58 → 31

The user-facing labels are Low-risk, Balanced, and Full. When applying non-interactively, the --plan flag takes the tier values safe, balanced, and aggressive.


Scored on exploitability, not just severity

The ranking layers two public signals on top of advisory data, so the queue reflects what is actually happening in the wild:

  • CISA KEV — the Known Exploited Vulnerabilities catalog. A flaw on this list is being exploited now.
  • FIRST EPSS — the Exploit Prediction Scoring System, a probability of near-term exploitation.

A known-exploited, high-EPSS package outranks a higher-CVSS flaw that no one has ever weaponised.


It re-scans so the plan is current

If a manifest or lockfile changed since your last scan, vg fix re-runs the drift scan first, so recommendations describe the code you have now — not a stale snapshot.


Applying a plan (you decide)

# Print the plans and stop — never edits the project
vg fix --no-apply

# Preview the exact changes without writing them
vg fix --dry-run

# Apply the low-risk plan without prompting
vg fix --plan safe --yes

Applying a plan runs your project's own package manager. The command exits non-zero if an upgrade fails.


Gate CI on exploitability

--fail-on-vulns exits non-zero when the recommended plan would still leave an advisory at or above the given severity unresolved:

vg fix --no-apply --fail-on-vulns high

Options

FlagDescription
--plan <tier>Apply a tier non-interactively: safe, balanced, or aggressive
--no-applyOnly print the plans; never modify the project
--dry-runShow what would change without applying
--yesApply the recommended plan without prompting
--fail-on-vulns <severity>Exit non-zero if an advisory at/above low|moderate|high|critical is left unresolved
--format <format>Output format: text (default), json, or md
--in <file>Scan artifact to read (default .vibgrate/scan_result.json)
--dsn <dsn>DSN token (or use VIBGRATE_DSN / vg login)
--region <region>Data-residency region (us, eu)

Related

  • vg scan — the drift scan that feeds the planner
  • vg scan --vulns — the vulnerability data behind the ranking
  • DriftScore — the 0–100 metric each plan moves
No live demo for this command

vg fix calls the hosted Vibgrate planner and needs a login or DSN, so it cannot carry an offline live replay. The output shown below is the real format.

Related Documentation

Related Help Articles