Skip to main content
Glama
toan203

osv-ui-mcp

by toan203
OverviewSchemaRelated ServersScoreDiscussions
Local

apply_fixes

Execute package upgrade commands to fix CVEs by modifying package files. Always confirm with users after reviewing commands first.

Instructions

Execute package upgrade commands to fix CVEs. IMPORTANT: This is a DESTRUCTIVE action that modifies package files. ALWAYS call get_fix_commands first and confirm with the user before calling this. Returns the command output for each fix applied.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
pathYesPath to the project directory.
packagesYesPackage names to fix. Must be explicit — never fix all without user confirmation.
dry_runNoIf true, print commands without executing. Useful for final confirmation step.

Implementation Reference

  • packages/mcp/bin/osv-ui-mcp.js:309-342 (handler)
    The handler function 'handleApplyFixes' which executes the upgrade commands.
    async function handleApplyFixes({ path: dir = '.', packages, dry_run = false }) {
  const absDir = resolve(dir);
  const result = await scanService(absDir, { noOsv: false });

  const fixable = getFixableGroups(result.vulns, packages);
  const requested = packages.map(p => p.toLowerCase());
  const toApply = fixable.filter(f => requested.includes(f.name.toLowerCase()));

  if (toApply.length === 0) {
    return err(`No fix commands found for: ${packages.join(', ')}. Run get_fix_commands to see available fixes.`);
  }

  const outputs = [];

  for (const f of toApply) {
    if (dry_run) {
      outputs.push(`[DRY RUN] Would run: ${f.command}`);
      continue;
    }

    try {
      const stdout = execSync(f.command, { cwd: absDir, timeout: 60000 }).toString().trim();
      outputs.push(`✅ ${f.name}: upgraded to ${f.fixVersion} (fixes ${f.cveCount} CVE${f.cveCount > 1 ? 's' : ''})\n   $ ${f.command}\n   ${stdout.slice(0, 200)}`);
    } catch (e) {
      outputs.push(`❌ ${f.name}: command failed\n   $ ${f.command}\n   ${e.message.slice(0, 200)}`);
    }
  }

  const summary = dry_run
    ? `## Dry run — commands that would be executed\n\n${outputs.join('\n\n')}`
    : `## Fix results\n\n${outputs.join('\n\n')}\n\n> Run \`scan_project\` again to verify CVEs are resolved.`;

  return ok(summary);
}
  • packages/mcp/bin/osv-ui-mcp.js:114-119 (registration)
    MCP tool definition for 'apply_fixes'.
    name: 'apply_fixes',
description:
  'Execute package upgrade commands to fix CVEs. ' +
  'IMPORTANT: This is a DESTRUCTIVE action that modifies package files. ' +
  'ALWAYS call get_fix_commands first and confirm with the user before calling this. ' +
  'Returns the command output for each fix applied.',
  • packages/mcp/bin/osv-ui-mcp.js:152-152 (registration)
    Tool call dispatch logic invoking 'handleApplyFixes'.
    case 'apply_fixes': return await handleApplyFixes(args);
Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/toan203/osv-ui'

If you have feedback or need assistance with the MCP directory API, please join our Discord server