We are building an [auto-remediation feature](https://gitlab.com/groups/gitlab-org/-/work_items/17403) that automatically creates Merge Requests to resolve vulnerable dependencies by bumping them to a safe, non-breaking version. The system will: * Detect vulnerable dependencies from SBOM ingestion (triggered by Dependency Scanning, Continuous Vulnerability Scanning, or any other SBOM ingestion) * Determine a safe upgrade path by bumping to the latest available patch or minor version that resolves the vulnerability * Generate the necessary dependency file changes and open an MR per vulnerability - with no human input required beyond existing MR approval policies * Allow users to enable or disable the feature at the project level This feature is currently in Experiment. To ensure quality as the feature makes progress towards GA, we'd like to collect user feedback. ## Supported package managers * Bundler (Ruby) **Note**: More ecosystems and package managers will be added in Beta. ## :reminder_ribbon: How to give feedback 1. **Check existing feedback & known issues:** Before submitting, check to see if your feedback is already captured in the linked items, [known issues](#known-issues), or reported by someone else in one of the threads. If so, comment on the existing thread or leave an emoji reaction to show support. 2. **Start a new thread:** If your feedback is not listed, start a new thread with a descriptive title. Include relevant details, screenshots, and steps to reproduce the issue in expandable sections. 3. **Be Specific:** Provide as much detail as possible, including device/browser information, steps to reproduce, and expected vs. actual outcomes. ## :handshake: What you can expect from us 1. We **will read** all of your feedback. 2. We **may not respond** to all feedback directly. 3. We will **create issues** for repeatable bugs and assign a [priority](https://handbook.gitlab.com/handbook/security/security-operations/sirt/severity-matrix/#priority) based on [severity](https://handbook.gitlab.com/handbook/security/security-operations/sirt/severity-matrix/#severity). ## Known Issues