Helping developers upgrade vulnerable dependencies with confidence
Combining deterministic analysis and AI to reduce uncertainty and effort when upgrading software dependencies
This is just a brief overview of this project. Contact me for a full case study.
Overview
Led the design of AI-assisted upgrade guidance that helps AppSec and developers understand whether dependency upgrades are safe or breaking and take action faster by opening pull requests directly from the Semgrep platform.
The problem
Fixing supply chain vulnerabilities is slow and high-friction. Teams struggle to understand whether an upgrade will be safe, breaking, or require significant manual effort. That uncertainty leads to delayed remediation, excessive context switching, and low confidence in automated fixes.
While customers were asking for auto-PRs, simply automating upgrades without trust would have created more risk than value.
My role
Design lead
The solution
I designed a remediation experience that leverages a combination of deterministic program analysis with LLMs to give teams confidence before taking action. The experience:
• Classifies upgrades as safe, breaking, or unknown
• Explains why an upgrade is considered breaking and what changes are required
• Surfaces this insight directly in the remediation workflow
• Allows users to open a PR from the platform, with clear context about risk and required fixes
A key design decision was anchoring trust in deterministic analysis first, with AI used to summarize and explain (not replace) underlying signals. Safe upgrades could be automated with guardrails, while breaking changes still required human judgment.
Impact
PRs opened since launch
Additional impact:
- Addressed a critical gap cited in competitive evaluations and ~$3M in ARR opportunity
- Unlocked a foundation for automated remediation policies and AI differentiation
- Enabled one-click PR creation for safe dependency upgrades
