Remediation
Remediation in dependency security means taking action to eliminate or reduce a known vulnerability. The most common form is updating a vulnerable package to a version that contains the fix. Other forms include applying a vendor patch, using an npm override to force a safe transitive version, or — as a last resort — removing the vulnerable dependency entirely.
Types of remediation
Direct version update
The cleanest fix — bump the vulnerable package to the safe version in your manifest and run your package manager. This works when you control the direct dependency.
# npm npm install lodash@4.17.21 # pip pip install Django==4.2.13 # Ruby bundle update nokogiri
Override / forced resolution
When the vulnerability is in a transitive dependency you don't control directly, you can force the package manager to use a safe version. PackageFix generates this block automatically.
// package.json — npm overrides
{
"overrides": {
"qs": "6.11.0"
}
}
Virtual patch
When you can't update the package immediately (integration risk, breaking changes), you can add controls to reduce the attack surface. For example, blocking the specific input pattern that triggers the CVE at your WAF or API gateway. This is a temporary measure — not a substitute for updating.
Remediation priority
Not all CVEs need the same urgency. A practical order:
- CISA KEV entries — fix today. Being exploited right now.
- CRITICAL CVEs in direct dependencies — fix this sprint.
- HIGH CVEs in direct dependencies — fix this sprint.
- CRITICAL/HIGH in transitive dependencies — next sprint, use overrides.
- MEDIUM CVEs — scheduled update cycle.
- LOW CVEs — backlog, address in bulk.
PackageFix generates the fixed manifest with safe versions already applied — download it, run your install command, done. No manually hunting for which version fixed which CVE.
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser