Published on: July 16, 2026
5 min read
Automatically upgrade dependencies, adapt code for breaking changes, and route changes for approval — only GitLab does it natively, with full context.

AI is writing more code and pulling in more dependencies, increasing application risk. Most of that exposure isn't from code your team actively chose. A 2025 study of the Maven ecosystem found vulnerabilities reaching roughly 63% of latest releases through transitive dependencies, versus 31% through direct ones.
Dependency Scanning Auto-Remediation, now in beta, closes the loop for security. When dependency scanning finds a vulnerable package, GitLab opens a merge request to update it, uses AI to fix any build-breaking changes, and iterates until your pipeline passes — with every change governed by your existing gates and audit trail.
As a result, security backlogs shrink without diverting developers, high-severity vulnerabilities get fixed within compliance deadlines, and breaking upgrades arrive as merge requests ready for approval.
Vulnerable and outdated components are a longstanding OWASP Top 10 risk and a leading source of remediation backlogs. Clearing findings is slow, manual work that competes with feature delivery, leaving high-severity vulnerabilities unresolved beyond the 30-day deadlines of PCI-DSS and FedRAMP. Meanwhile, even in established libraries, AI-assisted exploit engineering is accelerating disclosure and weaponization.
Roughly one in eight dependency updates introduce a breaking change, and many labeled backward-compatible still break the build. Teams tend to defer complex changes, and the longer those vulnerabilities sit, the more serious they become.
Dependency Scanning Auto-Remediation turns vulnerable dependencies into reviewed, ready-to-merge fixes, so your team clears findings faster and spends less time resolving breaking changes. Teams see benefits in speed, effort, and control:
Dependency Scanning Auto-Remediation bumps vulnerabilities and fixes breaking changes in two stages:
Automated dependency version bumping runs automatically when scanning detects a vulnerable dependency, opening a merge request to upgrade it to the nearest fixed version. When no eligible fix exists, the finding stays in your vulnerability report until a safe upgrade path becomes available. Every MR is attributed to a dedicated service account, making each change traceable to a distinct identity.
Agentic breaking change resolution handles the tough cases when a version bump introduces breaking changes. When a remediation MR's pipeline fails because the new version breaks your project, GitLab Duo Agent Platform automatically analyzes the pipeline errors, the dependency's changelog, and how your code uses the dependency. Then, within the same MR, it commits fixes to your code so your project works with the updated version. If it can't get the pipeline passing, it stops and posts what it found to the MR so you can take it from there. Supported ecosystems include Bundler, Maven, Gradle, and major Python and JavaScript/TypeScript package managers, with Rust and Go planned in the months ahead.
Auto-remediation never merges on its own. To speed up review, each MR spells out the vulnerability it addresses, the version it moves to, and the code GitLab Duo Agent Platform suggested to keep the build passing, so approvers don't have to reverse-engineer the change.
Auto-remediation runs automatically when SBOM-based dependency scanning detects a vulnerable dependency with an available fix. Practitioners can also initiate it for an individual finding from the vulnerability report. GitLab then opens a remediation MR that flows through your normal review and merge process; when agentic breaking-change resolution is enabled and the version bump breaks the pipeline, GitLab Duo Agent Platform attempts to fix the resulting code changes in that same merge request.
Built-in safeguards keep remediation automation from becoming noise. Cooldown periods stop busy projects from triggering remediation on every pipeline, and GitLab won’t re-create a closed MR unless a newer fix is available.
Configure remediation to match your risk tolerance. You can target vulnerabilities of any severity from low to critical, cap how far version bumps are allowed to go (patch, minor, or major), and store settings in project- or group-level configuration profiles (via API during beta).
Remediation runs through your organization's own pipeline, so it inherits your existing access controls and approval gates. You also get a complete, auditable record of what changed, who approved it, and why.
See Dependency Scanning Auto-Remediation in action:
Dependency Scanning Auto-Remediation is in public beta. It is available on GitLab.com and rolling out to GitLab Self-Managed and GitLab Dedicated.
Ready to try it? Check out the Dependency Scanning Auto-Remediation documentation.
Automated dependency version bumping is included with GitLab Ultimate at no additional cost.
You can get access to agentic breaking-change resolution with a free trial of GitLab Duo Agent Platform. Already a GitLab Ultimate subscriber? Turn on Duo Agent Platform and use the GitLab Credits included with your subscription.
Have feedback? Share it in the feature feedback epic.
Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.
Share your feedbackStart building faster today
See what your team can do with the intelligent orchestration platform for DevSecOps.