LegacyFixer

How LegacyFixer works

A controlled GitHub App workflow for Python dependency-security maintenance.

Workflow

  1. A repository owner requests access for one selected public Python repository.
  2. If accepted, the GitHub App is installed only on the approved repository.
  3. A repository push triggers a webhook event.
  4. LegacyFixer queues and runs a dependency-security scan.
  5. The scan result is recorded as a read-only status page.
  6. Pull request creation remains disabled by default and can be enabled only through explicit repository-level settings.

Default behavior

The recommended first onboarding path is passive monitoring. LegacyFixer records findings and does not open a pull request.

When pull request creation is enabled, fixes are proposed through isolated branches and reviewable pull requests. LegacyFixer does not auto-merge.

Current validated coverage

LegacyFixer has been validated for selected Python dependency layouts including requirements.txt, nested requirements.txt, poetry.lock, Pipfile.lock, and setup.cfg install_requires.

Behavioral cases validated include passive findings, dependency conflicts, dependency hell, PR diff granularity, and no PR creation in passive mode.

Back to LegacyFixer