How to run?
You can run it as follows:patchwork DependencyUpgrade
by default you will need to provide the openai_api_key
and the github_api_key
you can pass them as arguments:
patchwork DependencyUpgrade openai_api_key=<Your_API_KEY> github_api_key=<Your_GH_Token>
What it does?
The DependencyUpgrade patchflow will first scan your repository using an open-source scanner dep-scan. It will then extract the vulnerable libraries information detected by the scan and use them to create a prompt to be sent togpt-3.5-turbo
to update your package manager file. You can check the default prompt template. The fixed package manager file is then committed to the repository under a new branch and finally a pull request is created for the user to review and merge the changes.
Configuration
The following are the default configurations that can be modified by the user to adapt the DependencyUpgrade patchflow to their needs. All the options can be set both via CLI arguments and and the yaml config file.Model
You can choose any LLM API as long as it has an OpenAI API compatible chat completions endpoint. Just update the default values of the following options:openai_api_key
option.
You can also use llama.cpp to run inference on CPU locally. Just install the llama-cpp-python package and run their OpenAI compatible web server as described here with the command:
python3 -m llama_cpp.server --hf_model_repo_id TheBloke/deepseek-coder-6.7B-instruct-GGUF --model 'deepseek-coder-6.7b-instruct.Q4_0.gguf'
Once the local server is running you can set:
Upgrade Threshold
You can set the upgrade threshold you want to update the libraries to. The accepted values are ‘major’, ‘minor’ or ‘patch’. E.g.Severity
You can also set the severity of the vulnerabilities that you want to upgrade. Severity is derived from the CVSS score and can take values of ‘none’, ‘low’, ‘medium’, ‘high’, and ‘critical’. E.g.Analyze Impact
By default we update the libraries to their fixed versions. If the upgrades are across major versions or a lot has changed between the versions of the library updating it may break your application. Theanalyze_impact
option can be set to enable an impact analysis of the library upgrades as follows:
Manage PRs
In addition, there are options to let you manage the PRs as you like, by setting abranch_prefix
, or disabling the creation of new branches with disable_branch
(commits will be made on the current branch). You can also disable PR creation with disable_pr
or force push commits to existing PR with force_pr_creation
.
Prompt template
You can update the default prompt template. The basic prompt that upgrades the dependencies is with"id": "depupgrade"
. Note the use of variables {{Updates}}
and {{PackageManagerFile}}
. They are generated by the steps within the DependencyUpgrade patchflow and replaced by the actual values during the execution. The expected output response is complete content of the package manager file with the libraries updated to their fixed versions.