Passive by default
Start with scan results only. No code changes are made during the recommended first onboarding run.
LegacyFixer
Automated Python dependency security, without PR noise
LegacyFixer scans selected Python repositories, records dependency-security results, and creates review-ready pull requests only when repository settings explicitly allow it.
Review-ready PRs
When enabled, fixes are proposed through isolated branches and pull requests for human review.
Repository-level control
Each repository controls whether PR creation is enabled and how many LegacyFixer PRs can be open.
Request access
LegacyFixer is available through controlled access for selected public Python repositories. It is not an open self-serve product yet.
To request access, use the branded contact address that will be published before public onboarding opens. Include one repository you would be comfortable testing in a controlled maintenance workflow.
- Send one repository URLStart with a public, non-sensitive Python repository.
- Run passive firstThe first scan records findings without opening a pull request.
- Enable PRs deliberatelyPull request creation is optional and controlled per repository.
Current validated coverage
Dependency layouts
requirements.txtnested requirements.txtpoetry.lockPipfile.locksetup.cfg install_requires
Behavioral cases
passive findingsdependency conflictdependency hellPR diff granularityno PR in passive mode
Best first fit: a small or medium public repository that is not production-sensitive.
Review the public demo
Review a real passive LegacyFixer scan before requesting access. The demo shows the recommended first onboarding path: scan, record findings, and avoid pull request creation until the result is reviewed.
Open read-only passive status page Successful scan with findings and no PR openedDemo scan snapshot
- Trigger
- webhook
- Status
- success
- Result
- NO_ACTION
- Reason
- passive_findings
- PR opened
- no
- Run time
- 21s