Yesterday, we announced our acquisition of EdgeBit, our shift toward automating dependency updates, and the importance of new technology on the path to truly accelerating real engineering tasks.
One of our key learnings is that dependency updates themselves are hard engineering tasks. Even communicating the level of effort for migration is hard without getting deep into it. As a result, our job is to introduce automation that can fundamentally accelerate this engineering work. We intend to tackle each area of this work: research, breaking changes, app impact, and the ultimate safe/not safe verdict.
Many building blocks exist today, but over the course of the FOSSA / EdgeBit partnership, we’ll be excited to introduce a few new pieces of work soon to be available in our joint tooling:
1. Novel analysis for dependency compatibility
Existing techniques like reachability analysis were designed to filter vulnerabilities that are unlikely to be exploitable. That’s useful for triage, but doesn’t actually fix anything, and creates more security debt. The vulnerable code is still in your repo, customer scanners still show warnings, and the overhead of tracking the issue still exists. To actually execute the fix, developers must assess update compatibility.
Upgrading dependencies demands a far deeper level of understanding than what modern static analysis offers today. First, our understanding of call sites and code paths has to be consistently deep across all ecosystems. "Partial reachability" analysis or inconsistent methods will fail. Secondly, we need a lot more metadata, such as semantic changes, API differences, and an understanding of runtime behavior / ecosystem quirks.
There are no shortcuts here — especially in dynamic environments like JavaScript and TypeScript, where highly flexible language features make fine-grained static analysis notoriously difficult.
Next-generation tools must go beyond filtering. They need to analyze how applications actually use libraries — down to the function level — to detect breaking changes and risky updates with real precision. In conjunction with EdgeBit, we’ve developed novel static analysis just for this use case, and are excited to share more in the coming week.
2. Static analysis as agent context
Until now, static code analysis has mainly been a tool that surfaces information for human developers. But we’re starting to see its power as context for AI coding agents. Today’s AI code assistants are still relatively weak and inconsistent at fully autonomous tasks like dependency upgrades — they often require a human to review or guide their suggestions.
By contrast, if we optimize static analysis specifically to feed an automated agent, the combination can dramatically improve the reliability of fully autonomous code updates. EdgeBit demonstrated a 190% increase in accuracy and a 300% increase in consistency in early prototypes of one-shot "Dependency Autofix".
By weaving static analysis into the AI’s decision loop, we’ve made autonomous upgrades far more dependable.
3. Evolving update planning / strategy
Inventing new analysis is only part of the challenge. Development teams want updates pushed to them but those update tools often create as many problems as they solve. They generate floods of noisy PRs, demand heavy configuration before delivering value (especially at scale), and frequently break down when faced with nonstandard build systems.
Posting PRs isn’t the hard part. Researching the ramifications of the upgrade or adapting the application to take advantage of the new features or migrate from deprecated APIs is what takes effort. Using a tool that comes to the table with a fully completed unit of work is extremely powerful.
Another aspect of planning is the supply chain becoming a larger target for malware. Teams can’t just “upgrade to latest” — they need intelligence to vet versions, apply context, and enforce clear update policies.
We see a major opportunity at the application layer to deliver better, more prescriptive tooling: smarter batching, policy-aware updates, tighter integration with real developer workflows, and automation that truly reduces the burden on engineering teams instead of adding to it.
Bringing These Capabilities to FOSSA
Tomorrow, we will be excited to share some more news about what we’ve been working on. We’re starting with the hardest ecosystem first — JavaScript and TypeScript — and we’ll be expanding into more languages soon.