Fetches available fixes for vulnerabilities in a repository, scan, or uploaded manifest. Requires exactly one of repo_slug, full_scan_id, or tar_hash, as well as vulnerability_ids to be provided. vulnerability_ids can be a comma-separated list of GHSA or CVE IDs, or "*" for all vulnerabilities.

Response Structure

The response contains a fixDetails object where each key is a vulnerability ID (GHSA or CVE) and the value is a discriminated union based on the type field.

Common Fields

All response variants include:

• type: Discriminator field (one of: "fixFound", "partialFixFound", "noFixAvailable", "fixNotApplicable", "errorComputingFix")
• value: Object containing the variant-specific data

The value object always contains:

• ghsa: string | null - The GHSA ID
• cve: string | null - The CVE ID (if available)
• advisoryDetails: object | null - Advisory details (only if include_details=true)

Response Variants

fixFound: A complete fix is available for all vulnerable packages

• value.fixDetails.fixes: Array of fix objects, each containing:
  • purl: Package URL to upgrade
  • fixedVersion: Version to upgrade to
  • manifestFiles: Array of manifest files containing the package
  • updateType: "patch" | "minor" | "major" | "unknown"
• value.fixDetails.responsibleDirectDependencies: (optional) Map of direct dependencies responsible for the vulnerability

partialFixFound: Fixes available for some but not all vulnerable packages

• Same as fixFound, plus:
• value.fixDetails.unfixablePurls: Array of packages that cannot be fixed, each containing:
  • purl: Package URL
  • manifestFiles: Array of manifest files
  • reasons: Human-readable explanations of why the package cannot be upgraded. May contain multiple distinct entries when different dependency chains are blocked for different causes (e.g. one chain has no compatible upstream version; another would require a major version bump skipped by --no-major-updates).

noFixAvailable: No fix exists for this vulnerability (no patched version published)

fixNotApplicable: A patched version of the vulnerable package exists but cannot be applied. The most common cause is that there is no upgrade path through the dependency tree — for example, given a chain App → [email protected] → [email protected] where B < 2.0.0 is vulnerable, if no version of A accepts [email protected] the fix cannot be applied without a manual override (e.g. pnpm overrides). Other causes include callers passing --no-major-updates when the only patched version is a major bump.

• value.vulnerableArtifacts: Array of vulnerable packages with their manifest files

errorComputingFix: An error occurred while computing fixes

• value.message: Error description

Advisory Details (when include_details=true)

• title: string | null
• description: string | null
• cwes: string[] - CWE identifiers
• severity: "LOW" | "MODERATE" | "HIGH" | "CRITICAL"
• cvssVector: string | null
• publishedAt: string (ISO date)
• kev: boolean - Whether it's a Known Exploited Vulnerability
• epss: number | null - Exploit Prediction Scoring System score
• affectedPurls: Array of affected packages with version ranges

This endpoint consumes 10 units of your quota.

This endpoint requires the following org token scopes:

• fixes:list