This repository is for providing feedback and documentation on the Python Dependency Remediation VS Code extension. You can use this repository to report issues, submit feature requests, or read documentation.
- Install the Python extension from the Marketplace if you haven't already — it will be detected automatically.
- Open a folder containing a
requirements.txt,pyproject.toml,Pipfile, orenvironment.yml. - Vulnerable packages are highlighted automatically with inline CVE counts.
- Click the lightbulb (
Ctrl+.) on a vulnerable package to upgrade it, or use the notification prompt to upgrade all.
New to the extension? Run
Ctrl+Shift+P→ "Welcome: Open Walkthrough" and select "Get Started with Python Dependency Remediation" for a guided tour.
- Real-time vulnerability scanning — inline CVE decorations with hover details and osv.dev links
- File explorer badges — files with vulnerabilities marked with warning icons
- One-click upgrades — upgrade individual or all vulnerable packages to the latest safe, non-yanked version via PyPI
- Full AI-powered workflow — upgrade → test in isolated venv → detect breaking changes with GitHub Copilot → auto-fix → re-test → generate report
- Markdown security report — auto-generated report with CVE findings, breaking changes (before/after), and test results
- AI-powered analysis — uses GitHub Copilot via the VS Code Language Model API for breaking change detection
- Cross-file consistency check — detect conflicting package versions across multiple requirements files in monorepos
- Multi-format support —
requirements.txt,pyproject.toml(PEP 621 + Poetry),Pipfile, and condaenvironment.yml - Isolated test execution — tests run in a fresh virtual environment — your workspace stays untouched
- Localized UI — available in 15 languages including English, Japanese, Chinese, Korean, German, French, Spanish, and more
| Command | Description |
|---|---|
| Python Dep Rem: Scan Requirements for Vulnerabilities | Scan the active dependency file for CVEs |
| Python Dep Rem: Clear Vulnerability Cache | Reset cached CVE data from OSV.dev |
| Python Dep Rem: Select AI Model | Choose the preferred AI model for analysis |
| Python Dep Rem: Check Version Consistency | Detect conflicting versions across multiple requirements files |
All settings are under the pythonDepRem namespace.
| Setting | Type | Default | Description |
|---|---|---|---|
pythonDepRem.enableAutoScan |
boolean | true |
Automatically scan dependency files when opened or modified |
pythonDepRem.scanDebounceMs |
number | 1000 |
Debounce delay (ms) before scanning after edits (100–30000) |
pythonDepRem.cacheExpirationMinutes |
number | 60 |
How long to cache CVE data in minutes (1–1440) |
pythonDepRem.aiModel |
string | auto |
Preferred AI model: auto or copilot |
pythonDepRem.enableAIAnalysis |
boolean | true |
Enable AI-powered breaking change analysis after upgrades |
- VS Code 1.99.0 or later
- Python 3.x (uses the interpreter selected in the Python extension)
- Python extension (
ms-python.python) — installed automatically as a dependency
- GitHub Copilot — for AI-powered breaking change detection and automated fixes
- pytest — for running tests during the upgrade workflow
No API keys are required. AI features use your existing VS Code Language Model API entitlement (GitHub Copilot).
This extension collects anonymized usage telemetry via Azure Application Insights to help improve the product. All telemetry respects VS Code's telemetry.telemetryLevel setting. No personally identifiable information (PII) is collected — file paths, emails, and credentials are automatically redacted.
To opt out, set telemetry.telemetryLevel to off in VS Code settings.
- CHANGELOG — version history
- FAQ — frequently asked questions
- TROUBLESHOOTING — known issues and solutions
- CONTRIBUTING — how to report issues and contribute
- SECURITY — security vulnerability reporting
- CODE OF CONDUCT — Microsoft Open Source Code of Conduct
- File a bug in GitHub Issues
- Request a feature in GitHub Issues
See LICENSE for more information.