Stop triaging vulnerabilities. Mendr fixes them.
From a fresh CVE to a merged fix, with the least human work in between — so your team stops losing afternoons to dependency cleanup.
Built on trusted advisory data
- OSV Scanner
- GitHub Advisories
- Dependabot
- CISA KEV
- EPSS
mendr opened a pull request
2 minutes ago
Bump axios 0.21.1 1.7.4
Fixes 2 advisories · 1 KEV · SSRF, prototype pollution
- Resolved breaking change in response typing
- 248 tests passed
- CI pipeline green
// Mendr vs Dependabot
Where Dependabot stops, Mendr finishes
Dependabot tells you a dependency is vulnerable and bumps a version number. Mendr does the rest of the job.
// Transitive remediation
Fixes the vulnerability, not just the version
The fix is buried deep, pinned by a parent you'd otherwise trace, upgrade, and hand-patch yourself. Mendr does the whole chain in minutes.
- your-app
- glob7.1.08.0.0major · breakingRewrote the 2 call sites glob 8 breaks.
- minimatch3.0.43.1.2cleared
// Why Mendr
Less triage. More shipping.
Most tools hand you a longer to-do list. Mendr takes the work off it — finding, fixing, and verifying vulnerabilities so your team ships instead of triages.
Fixes, not findings
A working pull request with the upgrade applied and breaking changes handled — not another alert.
Reaches deep dependencies
The vulnerable package is usually buried in your tree. Mendr upgrades the parent that pins it to clear the advisory.
A PR that explains itself
Advisories closed, why this version, what changed, and what to review — so you decide from the PR, not from detective work.
Verified, never faked
Mendr watches your CI and tells you the truth — green, failed, or blocked. It never calls a broken fix done.
// Autonomous remediation
Fixes that arrive already green
Opening a pull request is the easy part. Mendr does the hard part — it upgrades the package, rewrites the code the new version breaks, and proves the result against your own CI before a human ever looks at it.
- Generates the dependency upgrade automatically
- Grades every fix low, medium, or high risk so you know what's safe to automate
- Flags for review instead of shipping a fix it can't verify
- Applied dependency upgrade0.21.1 → 1.7.4
- Resolved breaking changeresponse.data typing
- Test suite248 passed
- CI pipelinegreen
- Advisories cleared2 of 2
// The autonomy dial
You decide how far Mendr goes
Trust isn't all-or-nothing. Turn Mendr up per repo and per severity — from a suggestion you act on to a verified fix that merges itself.
Draft the PR
Mendr opens the branch and pull request with the fix applied, ready for your review.
Opened PR #482 — fix applied, waiting on your review.
// How it works
From a fresh CVE to a merged fix
Every repo runs through the same loop, end to end. You set the autonomy; Mendr handles the rest.
Assess
01–02- 01
Detect
Continuously scan every dependency.
- 02
Prioritize
Rank by reachability and exploit signals.
Remediate
03–04- 03
Fix
Generate the upgrade, resolve breakage.
- 04
Verify
Watch your CI to prove it's safe.
Deliver
05–06- 05
Ship
Open a clean, reviewable pull request.
- 06
Notify
Post to Slack, file the Jira ticket.
// Prioritization signals
Severity is only half the story
A 9.8 nobody can reach can wait behind a 6.5 that's already in the wild and running in your code. Mendr weighs four independent signals so the order reflects real risk.
The queue, reordered by real risk
two criticals below one medium
- 1lodash@4.17.20CVSS 6.5 · MediumreachableKEVEPSS 71%Fix now
- 2axios@0.21.1CVSS 9.1 · CriticalreachableEPSS 18%Queued
- 3moment@2.29.1CVSS 9.8 · CriticalreachableEPSS 2%Deferred
Is the vulnerable code even called?
Mendr traces whether the flawed function is reachable from your code. Unreachable advisories sink down the queue; reachable ones rise — so you fix what's exploitable, not what's theoretical.
How severe could this be?
The industry-standard 0–10 score from FIRST.org, sorted into Critical, High, Medium, and Low buckets straight from upstream advisory data.
Has it been exploited already?
CISA's catalog of CVEs with confirmed real-world exploitation. A KEV match separates active threats from issues that merely score high.
How likely is exploitation soon?
A FIRST.org probability that a CVE is exploited in the wild within 30 days — so near-term risk can outrank a static severity number.
// Integrations
Works where you already work
No new dashboard to babysit. Mendr lives in the tools your team checks every day.
GitHub
Connects through a GitHub App you authorize. Mendr reads your dependencies and opens fixes as pull requests on branches you control.
Slack
A new exploitable finding, a fix shipped, a PR ready to merge — your team hears about it in the channel that matters, the moment it happens.
Jira
Every fix is tracked as work. Mendr files and closes Jira tickets automatically, so your security backlog stays honest without anyone updating it.
// Trust & access
Built to be trusted with your code
Mendr asks for the least access that can do the job, deletes what it clones, and never marks its own homework — your CI and your branch rules stay in charge.
Least-privilege access
The GitHub App reads metadata, alerts, and check results; write access is limited to fix branches and pull requests. Tokens are minted per operation and never stored.
Checkouts that don't linger
Mendr clones a repo only to scan or fix it, then deletes the checkout the moment the job ends. Findings and PR metadata are kept — your source code isn't.
Never runs your code
Dependency updates are lockfile-only with install scripts disabled. Your tests run where they always have: in your own CI, which stays the source of truth.
AI repairs stay sandboxed
When a fix needs code changes, the repair runs in an isolated, disposable sandbox on a temporary checkout. Every AI-assisted fix lands as a PR for human review.
Your CI is the gate
Branch protections apply to Mendr like anyone else. Auto-merge is opt-in and reserved for low-risk, deterministic updates that have passed your checks.
Audited and encrypted
Every material action — scans, fixes, merges, setting changes — lands in an audit trail. Stored credentials are encrypted at rest with AES-256-GCM.
// FAQ
Questions, answered
Does Mendr merge code on its own?
Mendr opens every fix as a pull request and can auto-merge the ones that pass your CI, based on rules you set. You decide how much autonomy to hand over — review everything, or let the safe upgrades ship themselves.
Can it fix vulnerabilities deep in my dependency tree?
Yes — that's a core capability. The vulnerable package is often a transitive dependency several levels down, pinned by a direct dependency in your package.json. Mendr traces the dependency path, finds the parent constraining it, and upgrades that parent to clear the advisory. When only a major upgrade can resolve it, Mendr stops and shows you exactly what's blocking the fix instead of forcing a risky change.
Why does Mendr open fewer pull requests than Dependabot?
Dependabot opens one PR per advisory. Mendr groups every advisory affecting a single package into one update — the change a developer would actually make — so a package with five CVEs across two manifests becomes a single pull request you review once.
Can Mendr fix vulnerabilities that need code changes, not just a version bump?
Yes. Dependabot only edits version numbers, so it stalls when an upgrade has breaking changes or no compatible version exists — it posts an error and hands the work back to you. Mendr can make the source and configuration edits a security upgrade requires, then proves the result against your CI. Every change opens as a reviewable pull request; nothing merges blindly.
What if a fix breaks my build?
Mendr watches your existing CI on the fix branch and resolves the breaking changes an upgrade introduces. If your checks can't get to green, it flags the finding for a human instead of calling a broken fix done.
How does it know what's actually exploitable?
Beyond CVSS, KEV, and EPSS, Mendr analyzes whether the vulnerable code path is reachable from your application. A critical CVE in a function you never call is ranked far below a medium one that runs on every request.
What permissions does the GitHub App need?
The minimum that lets it do the job: read access to repository metadata, Dependabot alerts, and check results, plus write access to contents and pull requests so it can push fix branches and open PRs. Everything else is explicitly no-access, and Mendr never stores long-lived tokens — credentials are minted per operation and discarded.
Does an AI model see my code?
Only when a fix needs more than a version bump, and only inside an isolated sandbox. Deterministic lockfile updates involve no AI at all. For repairs that require code changes, the model works on a temporary checkout that is destroyed when the job ends — nothing is retained, and the result always arrives as a pull request for human review.
What does Mendr connect to?
GitHub for your code and pull requests, Slack for real-time alerts, and Jira for backlog tracking. Deterministic lockfile fixes cover the npm ecosystem today; AI-assisted repairs extend to Python, Go, Ruby, Java, and Rust.
What does Mendr cost?
Nothing while we're in early access. Pricing comes later, and existing users will hear about it well before anything changes.
// Why Mendr exists
Every team I've worked on had the same tab open: a wall of dependency alerts nobody had time for. The work isn't hard — trace the advisory, find the safe version, fix what breaks, wait for CI — it's just endless, and it always loses to the roadmap. So the queue grows, and the one alert that matters hides inside it.
Mendr is the tool I wanted on those teams: something that does the whole chore instead of scoring it, and is honest about what it did. Every fix arrives as a pull request with the reasoning attached and your own CI's verdict on it, so trusting it never requires faith.
We're early, and we're building in that spirit — no black boxes, no faked green checks. If that resonates, I'd love for you to try it.
Arjan
Founder, Mendr
Put your dependency security on autopilot
Connect GitHub and let Mendr take the first pass — verified, ready-to-merge fixes waiting for you within the hour.