Automatic Dependency Updates
CodeStax automatically creates fix PRs on GitHub with the correct version bumps for vulnerable or outdated dependencies. When a scan detects a fixable vulnerability, CodeStax opens a pull request that updates the affected manifest file to the safe version. No GitHub App is required — PRs are created using your connected OAuth token.
Configuration
Navigate to SCA > Auto-Update for a repository to configure update preferences:
| Toggle | Description | Default |
|---|---|---|
| Auto-Patch | Automatically create fix PRs for patch version bumps | On |
| Auto-Minor | Automatically create fix PRs for minor version bumps | Off |
| Auto-Major | Automatically create fix PRs for major version bumps | Off |
When a toggle is enabled, CodeStax creates a pull request on your repository after each scan that detects fixable vulnerabilities. The PR includes the updated manifest file with the correct version bump applied.
Merge Confidence Scoring
Each proposed update receives a confidence score from 0 to 100 that estimates the risk of merging the change. Merge confidence is calculated based on version change type, security impact, community adoption, and breaking change likelihood.
Confidence Levels
- High (80-100) — Low risk. Safe to merge with minimal review.
- Medium (50-79) — Moderate risk. Review changelog before merging.
- Low (0-49) — Higher risk. Thorough testing recommended before merge.
Creating a Fix PR
From the Dashboard
- Open a finding in SCA > Fixes or from the vulnerability detail page.
- Review the proposed version bump and merge confidence score.
- Click Create Fix PR.
- CodeStax creates a pull request on your repository with the updated manifest file.
What the PR Contains
- A branch named
codestax/fix-<package>-<version>with the manifest update applied - The updated
package.jsonorrequirements.txtwith the correct version bump - A PR description summarizing the vulnerability fixed, the version change, and the confidence score
- PRs are created via your connected OAuth token — no GitHub App installation required
Supported Manifests
| File | Ecosystem |
|---|---|
package.json | npm |
requirements.txt | Python |
Support for additional manifest formats (Go modules, Maven, Gradle) is planned.
Permissions
Creating fix PRs requires a connected repository with a valid OAuth token that has write access. The PR is authored by your connected SCM account. Organization admins and owners can configure auto-update settings; members can trigger individual fix PRs from the dashboard.