Skip to content

feat(audit): add fix update mode#10341

Merged
zkochan merged 26 commits intopnpm:mainfrom
jasonpaulos:pnpm-audit-fix-update
Mar 12, 2026
Merged

feat(audit): add fix update mode#10341
zkochan merged 26 commits intopnpm:mainfrom
jasonpaulos:pnpm-audit-fix-update

Conversation

@jasonpaulos
Copy link
Copy Markdown
Contributor

@jasonpaulos jasonpaulos commented Dec 19, 2025
edited
Loading

Add the ability to fix vulnerabilities by updating packages in the lockfile instead of adding overrides.

This can be invoked with pnpm audit --fix update. Invoking with just --fix or --fix override will still use the old behavior of adding overrides to the package.json.

Addresses the discussion from https://github.com/orgs/pnpm/discussions/9843

@jasonpaulos jasonpaulos requested a review from zkochan as a code owner December 19, 2025 16:14
Copilot AI review requested due to automatic review settings December 19, 2025 16:14
@welcome
Copy link
Copy Markdown

welcome bot commented Dec 19, 2025

💖 Thanks for opening this pull request! 💖
Please be patient and we will get back to you as soon as we can.

@jasonpaulos jasonpaulos marked this pull request as draft December 19, 2025 16:15
Copilot AI reviewed Dec 19, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds an experimental --fix=update mode to the audit command that fixes vulnerabilities by updating packages in the lockfile instead of adding overrides to package.json. The default behavior remains adding overrides (--fix=override).

Key changes:

  • Introduces PackageVulnerabilityAudit interface to track and check vulnerabilities during dependency resolution
  • Implements version penalization in package resolution to prefer non-vulnerable versions
  • Adds new fixWithUpdate function that triggers dependency updates for vulnerable packages

Reviewed changes

Copilot reviewed 23 out of 25 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
packages/types/src/misc.ts Defines PackageVulnerabilityAudit interface and VulnerabilitySeverity enum
resolving/npm-resolver/src/pickPackageFromMeta.ts Implements penalizeVulnerableVersions to assign negative weights to vulnerable version ranges
lockfile/plugin-commands-audit/src/fixWithUpdate.ts New file implementing update-based vulnerability fixing
lockfile/plugin-commands-audit/src/audit.ts Updates audit handler to support --fix=update and --fix=override modes
lockfile/plugin-commands-audit/src/severity.ts Maps audit levels to vulnerability severity values
lockfile/plugin-commands-audit/test/* Adds test coverage and refactors existing tests
pkg-manager/*/src/* Threads packageVulnerabilityAudit option through dependency resolution layers
lockfile/plugin-commands-audit/package.json Moves plugin-commands-installation from devDependencies to dependencies, updates Jest preset
Files not reviewed (2)
  • lockfile/plugin-commands-audit/test/fixtures/update-linear-depth-3/pnpm-lock.yaml: Language not supported
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jasonpaulos jasonpaulos mentioned this pull request Dec 19, 2025
Closed
5 tasks
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 21, 2025
View reviewed changes
zkochan
zkochan reviewed Dec 21, 2025
View reviewed changes
@jasonpaulos jasonpaulos force-pushed the pnpm-audit-fix-update branch from c44bab0 to 1b196e6 Compare January 4, 2026 02:31
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 4, 2026
View reviewed changes
@jasonpaulos jasonpaulos force-pushed the pnpm-audit-fix-update branch from 1b196e6 to 8f09065 Compare January 5, 2026 22:11
@jasonpaulos jasonpaulos force-pushed the pnpm-audit-fix-update branch 3 times, most recently from a5a7c5c to a44ddcd Compare January 28, 2026 02:40
@jasonpaulos jasonpaulos changed the title feat: add audit fix update mode feat(audit): add fix update mode Jan 28, 2026
@jasonpaulos jasonpaulos marked this pull request as ready for review January 28, 2026 02:46
@jasonpaulos jasonpaulos requested a review from Copilot January 28, 2026 02:46
Copilot AI reviewed Jan 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 32 out of 36 changed files in this pull request and generated 2 comments.

Files not reviewed (4)
  • lockfile/plugin-commands-audit/test/fixtures/update-multiple/pnpm-lock.yaml: Language not supported
  • lockfile/plugin-commands-audit/test/fixtures/update-single-depth-2/pnpm-lock.yaml: Language not supported
  • lockfile/plugin-commands-audit/test/fixtures/update-single-depth-3/pnpm-lock.yaml: Language not supported
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jasonpaulos jasonpaulos force-pushed the pnpm-audit-fix-update branch from a44ddcd to ec03ce4 Compare January 28, 2026 03:03
@jasonpaulos jasonpaulos requested a review from Copilot January 28, 2026 03:04
Copilot AI reviewed Jan 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 32 out of 36 changed files in this pull request and generated 5 comments.

Files not reviewed (4)
  • lockfile/plugin-commands-audit/test/fixtures/update-multiple/pnpm-lock.yaml: Language not supported
  • lockfile/plugin-commands-audit/test/fixtures/update-single-depth-2/pnpm-lock.yaml: Language not supported
  • lockfile/plugin-commands-audit/test/fixtures/update-single-depth-3/pnpm-lock.yaml: Language not supported
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jasonpaulos jasonpaulos force-pushed the pnpm-audit-fix-update branch from ec03ce4 to f459606 Compare January 28, 2026 03:36
@jasonpaulos jasonpaulos requested a review from Copilot January 28, 2026 03:36
Copilot AI reviewed Jan 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 32 out of 36 changed files in this pull request and generated 1 comment.

Files not reviewed (4)
  • lockfile/plugin-commands-audit/test/fixtures/update-multiple/pnpm-lock.yaml: Language not supported
  • lockfile/plugin-commands-audit/test/fixtures/update-single-depth-2/pnpm-lock.yaml: Language not supported
  • lockfile/plugin-commands-audit/test/fixtures/update-single-depth-3/pnpm-lock.yaml: Language not supported
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jasonpaulos jasonpaulos force-pushed the pnpm-audit-fix-update branch 2 times, most recently from f0ed3ef to df470d5 Compare January 28, 2026 03:50
@jasonpaulos jasonpaulos mentioned this pull request Feb 19, 2026
Merged
@jasonpaulos jasonpaulos requested a review from zkochan February 20, 2026 21:54
@jasonpaulos
Copy link
Copy Markdown
Contributor Author

jasonpaulos commented Mar 12, 2026

@zkochan just checking in on this PR since it's been open for a while. I'd appreciate any feedback on what might be needed to move it forward. Thanks

@zkochan zkochan merged commit 15549a9 into pnpm:main Mar 12, 2026
9 of 10 checks passed
@jasonpaulos jasonpaulos deleted the pnpm-audit-fix-update branch March 12, 2026 22:07
@jasonpaulos jasonpaulos mentioned this pull request Mar 16, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@zkochan zkochan zkochan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jasonpaulos @zkochan