Overview
vg fix reads your drift — the gap between the versions you run and the latest stable releases — and returns three ranked upgrade plans, scored on real-world exploitability. It answers the question a plain outdated-dependency list can't: which upgrade should you do first?
vg fix is read-only by default. It never edits your project unless you explicitly apply a plan.
Hosted capability. Drift scoring and the code map are free and local. The ranked planner runs on Vibgrate's servers, so vg fix needs a login — run vg login once, or set a VIBGRATE_DSN. It sends dependency versions and aggregate usage signals only; it never uploads your source.
Usage
vg fix
Analyse the current directory. Pass a path to analyse elsewhere: vg fix packages/api.
The three plans
Each plan is a real, ordered set of upgrades with a risk score (0–100), the advisories it closes, and the DriftScore you would land on:
vg fix
Vibgrate fix — upgrade plan
12 drifted dependencies analysed
⚠ 2 packages carry a KNOWN-EXPLOITED (KEV) advisory, peak EPSS 74% — prioritise these.
● recommended Low-risk — patch and minor updates only
risk 12/100 low · 5 upgrades · fixes 1 critical, 2 high · DriftScore 58 → 54
○ Full — everything to latest stable
risk 58/100 high · 12 upgrades · DriftScore 58 → 31
The user-facing labels are Low-risk, Balanced, and Full. When applying non-interactively, the --plan flag takes the tier values safe, balanced, and aggressive.
Scored on exploitability, not just severity
The ranking layers two public signals on top of advisory data, so the queue reflects what is actually happening in the wild:
- CISA KEV — the Known Exploited Vulnerabilities catalog. A flaw on this list is being exploited now.
- FIRST EPSS — the Exploit Prediction Scoring System, a probability of near-term exploitation.
A known-exploited, high-EPSS package outranks a higher-CVSS flaw that no one has ever weaponised.
It re-scans so the plan is current
If a manifest or lockfile changed since your last scan, vg fix re-runs the drift scan first, so recommendations describe the code you have now — not a stale snapshot.
Applying a plan (you decide)
# Print the plans and stop — never edits the project
vg fix --no-apply
# Preview the exact changes without writing them
vg fix --dry-run
# Apply the low-risk plan without prompting
vg fix --plan safe --yes
Applying a plan runs your project's own package manager. The command exits non-zero if an upgrade fails.
Gate CI on exploitability
--fail-on-vulns exits non-zero when the recommended plan would still leave an advisory at or above the given severity unresolved:
vg fix --no-apply --fail-on-vulns high
Options
| Flag | Description |
|---|---|
--plan <tier> | Apply a tier non-interactively: safe, balanced, or aggressive |
--no-apply | Only print the plans; never modify the project |
--dry-run | Show what would change without applying |
--yes | Apply the recommended plan without prompting |
--fail-on-vulns <severity> | Exit non-zero if an advisory at/above low|moderate|high|critical is left unresolved |
--format <format> | Output format: text (default), json, or md |
--in <file> | Scan artifact to read (default .vibgrate/scan_result.json) |
--dsn <dsn> | DSN token (or use VIBGRATE_DSN / vg login) |
--region <region> | Data-residency region (us, eu) |
Related
- vg scan — the drift scan that feeds the planner
- vg scan --vulns — the vulnerability data behind the ranking
- DriftScore — the 0–100 metric each plan moves