Skip to main content

vg fix — Ranked, Risk-Tiered Upgrade Plans

Get three ranked upgrade plans — Low-risk, Balanced, and Full — scored on real-world exploitability (CISA KEV and FIRST EPSS), so the dangerous upgrade rises to the top. Read-only until you choose to apply.

Vibgrate Docs

Vibgrate Help

Usage

vg fix

Analyse the current directory and print three ranked upgrade plans. Pass a path to analyse elsewhere: vg fix packages/api.

What It Does

vg fix reads your drift — the gap between the versions you run and the latest stable releases — and returns three ranked, risk-tiered upgrade plans: Low-risk, Balanced, and Full. Each plan is a real, ordered set of upgrades with a risk score, the advisories it closes, and the DriftScore you would land on.

The ranking is scored on real-world exploitability, not severity alone. It layers the CISA KEV catalog (vulnerabilities being exploited in the wild) and FIRST EPSS (probability of near-term exploitation) on top of the advisory data, so a known-exploited package rises above a higher-CVSS flaw that nobody has weaponised.

vg fix is read-only by default — it never edits your project unless you apply a plan.

Login required

Drift scoring and the code map are free and local. The ranked planner runs on Vibgrate's servers, so vg fix needs a login. Run vg login once, or set a VIBGRATE_DSN. It sends dependency versions and aggregate usage signals only — never your source.

Applying a plan

# Print the plans and stop — never edits the project
vg fix --no-apply

# Preview exact changes without writing them
vg fix --dry-run

# Apply the low-risk plan without prompting
vg fix --plan safe --yes

The --plan flag takes the tier values safe, balanced, and aggressive (shown as Low-risk / Balanced / Full). Applying runs your project's own package manager.

Gate CI on exploitability

vg fix --no-apply --fail-on-vulns high

Exits non-zero when the recommended plan would leave an advisory at or above the given severity unresolved.

Key options

  • --plan <safe|balanced|aggressive> — apply a tier non-interactively
  • --no-apply — only print the plans; never modify the project
  • --dry-run — show what would change without applying
  • --fail-on-vulns <severity> — exit non-zero if a low|moderate|high|critical advisory is left unresolved
  • --format <text|json|md> — output format

Related

  • vg scan --vulns — the vulnerability data behind the ranking
  • vg why — who introduced a vulnerable dependency

Related Commands