Package managers — patching reference

Once a scanner has flagged a vulnerable dependency the question becomes mechanical: which lockfile to edit, how to upgrade a direct dep, how to coerce a transitive you don’t declare, how to verify integrity. The answer is different for every package manager and changes slowly enough that the reference is worth keeping in one place.

These pages cover the supported ecosystems in detail. Scanner pages (Vulnetix, Snyk OSS, GitLab Dependency Scanning, Dependabot, Grype, osv-scanner) link here from their “Producing a CycloneDX VEX” sections rather than duplicating the content.

By language family

  • JavaScript — npm, pnpm, Yarn
  • Python — pip + requirements, Pipenv, Poetry, uv
  • JVM — Maven, Gradle (Java / Kotlin / Scala)
  • .NET — NuGet (with Central Package Management)
  • Go — Go modules
  • Rust — Cargo
  • Ruby — Bundler
  • PHP — Composer
  • Swift / iOS — SwiftPM, CocoaPods, Carthage
  • Other ecosystems — Dart pub, Mix (Elixir), Rebar3 (Erlang), Cabal/Stack (Haskell), opam (OCaml), Nix flakes, Conan, vcpkg

Transitive coercion — quick-reference

The single most-used view across all managers: how to force a transitive dependency to a specific version without declaring it directly.

ManagerMechanism
npmoverrides in package.json
pnpmpnpm.overrides + peerDependencyRules in package.json
Yarnresolutions in package.json (supports glob paths)
pip-toolsPin in requirements.in, recompile
PipenvAdd to [packages] in Pipfile
PoetryDeclare in [tool.poetry.dependencies]
uvDeclare in pyproject.toml [project.dependencies]
Go modulesreplace directive in go.mod
Cargo[patch.crates-io] in Cargo.toml
Maven<dependencyManagement> in root pom.xml
Gradledependencies.constraints + enforcedPlatform()
BundlerExplicit gem declaration in Gemfile
NuGet<PackageVersion> in Directory.Packages.props (CPM)
ComposerAdd to require in composer.json
SwiftPMDeclare package directly with exact()
CocoaPodsDeclare pod directly in Podfile
Dart pubdependency_overrides in pubspec.yaml
Mixoverride: true on the dep tuple in mix.exs
Rebar3{overrides, ...} in rebar.config
Cabalconstraints: in cabal.project
StackAdd to extra-deps in stack.yaml
opampackage {= "x.y.z"} in the *.opam depends: field
Nix flakes--override-input or follows in flake.nix
Conanoverride=True in [requires] or --lockfile-overrides
vcpkgoverrides[] in vcpkg.json

Per-manager structure

Each per-language page follows the same shape. For every package manager covered:

  • Lockfile — path and shape
  • Direct upgrade — single command to bump a declared dep
  • Transitive coercion — the platform-specific way to pin a dep you don’t declare
  • Integrity — how the lockfile binds version to hash and what verifies it
  • Gotchas — peer-dep rules, native bindings, version drift, monorepo quirks

The patterns are practical, not academic — the goal is to give you the exact thing to type next when the scanner output names a CVE on a transitive your team has never touched.