Usage
vg fix
Analyse the current directory and print three ranked upgrade plans. Pass a path to analyse elsewhere: vg fix packages/api.
What It Does
vg fix reads your drift — the gap between the versions you run and the latest stable releases — and returns three ranked, risk-tiered upgrade plans: Low-risk, Balanced, and Full. Each plan is a real, ordered set of upgrades with a risk score, the advisories it closes, and the DriftScore you would land on.
The ranking is scored on real-world exploitability, not severity alone. It layers the CISA KEV catalog (vulnerabilities being exploited in the wild) and FIRST EPSS (probability of near-term exploitation) on top of the advisory data, so a known-exploited package rises above a higher-CVSS flaw that nobody has weaponised.
vg fix is read-only by default — it never edits your project unless you apply a plan.
Login required
Drift scoring and the code map are free and local. The ranked planner runs on Vibgrate's servers, so vg fix needs a login. Run vg login once, or set a VIBGRATE_DSN. It sends dependency versions and aggregate usage signals only — never your source.
Applying a plan
# Print the plans and stop — never edits the project
vg fix --no-apply
# Preview exact changes without writing them
vg fix --dry-run
# Apply the low-risk plan without prompting
vg fix --plan safe --yes
The --plan flag takes the tier values safe, balanced, and aggressive (shown as Low-risk / Balanced / Full). Applying runs your project's own package manager.
Gate CI on exploitability
vg fix --no-apply --fail-on-vulns high
Exits non-zero when the recommended plan would leave an advisory at or above the given severity unresolved.
Key options
--plan <safe|balanced|aggressive>— apply a tier non-interactively--no-apply— only print the plans; never modify the project--dry-run— show what would change without applying--fail-on-vulns <severity>— exit non-zero if alow|moderate|high|criticaladvisory is left unresolved--format <text|json|md>— output format
Related
vg scan --vulns— the vulnerability data behind the rankingvg why— who introduced a vulnerable dependency