LegacyFixer

Automated Python dependency security, without PR noise

LegacyFixer is a controlled GitHub App that scans selected Python repositories, detects known vulnerable dependencies, records scan results, and opens review-ready pull requests only when repository settings allow it.

Audit-driven, not generative

Uses dependency-security checks for known Python vulnerabilities. LegacyFixer does not rewrite application logic.

Review-first workflow

When PR creation is enabled, fixes are proposed through isolated branches and pull requests for human review.

No PR flooding

Repository-level settings control whether pull requests are created and how many can be open at once.

Controlled early access scope

LegacyFixer currently focuses on Python dependency and security maintenance for selected GitHub repositories. The safest default workflow is passive monitoring: scan the repository, record the result, and make no code changes.

Scans run asynchronously in the cloud. Pull requests are created only when repository settings explicitly allow it and when a fix is available.

LegacyFixer does not make broad code changes, refactor applications, or merge anything automatically. Fixes are proposed through pull requests for human review.

Review the public demo

You can review a real LegacyFixer run on a public demo repository before requesting access.

  1. Read-only status page showing the scan result, queue/run timing, and pull request link.
  2. Generated pull request showing the dependency-file change, CI result, and no automatic merge.

The demo shows a controlled PR-creation path. The default onboarding path can remain passive, with no pull request opened.

Request access

LegacyFixer is currently available for selected repositories through controlled early access. It is not an open self-serve product yet.

To request access, email [email protected] with a Python repository you would be comfortable reviewing in a controlled maintenance workflow. If the repository fits the current scope, we will confirm the next steps.

  1. Send the GitHub repository URL for review.
  2. Start with one non-critical Python repository.
  3. Use passive monitoring for the first scan unless a controlled PR test is explicitly agreed.
  4. If selected, install the GitHub App only on the approved repository.
  5. After the first push, review the read-only status page.

Current validated dependency layouts include root and selected nested requirements.txt files, poetry.lock, Pipfile.lock, and supported setup.cfg install_requires declarations. Do not use a production-critical repository or sensitive code for the first onboarding run.

Request access

What maintainers see after a scan

LegacyFixer records scan status, result, queue wait, run time, and the reason why a pull request was or was not opened.

Latest job ID
example
Trigger
webhook
Status
success
Result
NO_ACTION
Reason
passive_findings
Queue wait
2m 56s
Run time
27s

This example means LegacyFixer completed the scan, found dependency findings, and deliberately did not open a pull request because passive monitoring is enabled.

LegacyFixer is in controlled early access for selected repositories. The safest first step is passive monitoring: LegacyFixer records the result without creating pull requests. PR creation can be enabled later with explicit repository-level limits.

Access is currently controlled.