Skip to main content
Private preview. fremforge is in private preview — invited customers only. Content is still subject to change. Request access →
Security
OSV recommendations

OSV recommendations

Dependency scanning surfaces individual CVEs. The Recommendations tab on /<org>/_admin/code-security/deps turns that list into a fix list: every open finding with a published fix becomes one card — repo + package + current → fix + which CVEs that one upgrade resolves.

How recommendations are computed

The grouping key is (repo_full_name, ecosystem, package_name, current_version, fixed_version). Findings sharing all five collapse into one card.

Sorting is two-stage:

  1. Severity — critical → high → medium → low.
  2. EPSS score (within severity) — the highest EPSS score across the bundled vulns wins.

That ordering matters: a high-severity CVE with 95% EPSS (actively exploited) sorts above a critical CVE with 0.1% EPSS (theoretical). It’s the difference between “is this scary?” and “is this scary right now?”.

What the card shows

acme/api                                              critical
  npm:lodash 4.17.20 → 4.17.21
  3 vulns fixed · EPSS 23.4% · CVE-2021-23337, CVE-2020-8203 +1
                                                  [Open upgrade PR]
  • Manifest paths — if the same package is pinned in package-lock.json and pnpm-lock.yaml, both are listed.
  • EPSS — the highest exploit-prediction probability across the bundled CVEs (0–100%). The daily refresh job pulls EPSS data from FIRST.org.
  • Vulnerability IDs — first three shown inline; rest in a +N summary.

Opening an upgrade PR

Clicking Open upgrade PR asks the fremforge Renovate runner to file a one-off PR with the requested version bump. The PR appears in the customer’s repo under the bot account configured at org level. An audit row is written immediately even if Renovate is still busy, so the intent is durable.

Why this is not the same as the Findings tab

The Findings tab is the canonical source — one row per (CVE × manifest). Recommendations are the actionable summary:

  • A package with no published fix never appears on Recommendations (it’s not actionable yet).
  • A package fixable by a single upgrade appears once on Recommendations and N times on Findings (one per CVE).
  • A dismissed finding never appears on either.

Use Findings to triage individual CVEs and dismissals; use Recommendations to drive the day’s actual fix work.

See also

  • Severity SLAs — how the SLA pill on the Findings tab is computed.
  • Weekly security digest — emails the top 5 EPSS-weighted recommendations every Monday.
  • Push protection — secrets blocked at push time, the upstream half of the same supply-chain triad.
Agent-native authenticationSBOMs