// solutions - security advisory patching

Patch CVEs as soon as they land

With the rise of AI, the amount of security advisories is ramping up. Every advisory pulls engineers into triage, package selection, validation, review, and audit notes. Bosun starts that task when the advisory lands, applies your policy, and produces a reviewable PR or a clear reason to wait.

Book a demo How it works

Dispatcher task

Bosun CVE issue example showing linked advisories, impact explanation, policy decision, and next action.

Bosun CVE remediation task canvas showing fix revalidation, dependency update, audit verification, issue evidence, and pull request creation stages.

Bosun CVE pull request example showing advisory links, package change, verification proof, and reviewer notes.

// why this hurts

Every advisory asks for engineering time.

The alert is the easy part. The real cost is pulling engineers out of product work to identify exposure, choose a safe target version, prove the fix, and explain the change under pressure. As npm security noise grows, slow response becomes a planning problem, not just a security problem.

69% more npm malware advisories GitHub reported in 2025 than in 2024. Source: GitHub vulnerability trends 50%+ projected CVE publication growth in 2026 if GitHub's 2025 trend continues. Source: GitHub vulnerability trends 99%+ of open source malware Sonatype observed in 2025 occurred on npm. Source: Sonatype 2026 report

Recent npm reality

Shai-Hulud was not "just another CVE". That is the point.

Self-spreading npm malware, compromised package releases, install-time payloads, and trusted-publisher abuse all create the same operational work: stop what you were building, find exposure fast, choose the right fix, verify it, and leave a clear audit trail.

Mini Shai-Hulud analysis CVE-2026-42994 CVE-2026-45321 Bitwarden statement

// the cve patching task

Patch when ready. Explain when not.

CVE patching is a process, not a moment. Bosun gives that process structure: detect exposure, triage advisories, choose a safe fix, prove the change, and document the decision. Already handling CVEs differently? Modify the task to match your policy, use it as a template to drive for different ecosystems, or roll your own.

Detect Find affected package roots.
Triage Group advisories and link sources.
Gate Check maturity, policy, and risk.

ready

PatchUpdate one package family.
ProveRun audit and tests.
Pull requestReviewable advisory, diff, and proof.

not ready

HoldDo not rush an immature fix.
ExplainUpdate the issue with the wait reason.
ResumeRun again when policy clears.

// review artifact

Make the pull request easy to trust.

Reviewers get the advisory, decision, patch, proof, and rollback path in one place. No one has to infer security intent from a package-lock diff.

Draft PR Patch npm advisory: @tanstack/router-core

Why this matters

CVE-2026-45321 involved malicious npm versions published through a trusted release path. This repo resolves through the affected package family.

Linked advisories

NVD CVE-2026-45321 GitHub advisory GHSA-g7cv-rxg3-hmpx

Change

@tanstack/router-core 1.169.5 -> fixed release

Proof

audit clean, tests pass, lockfile diff scoped

Reviewer notes

Multiple package advisories grouped into one dependency PR.
Package age gate checked before selecting the target release.
Unsafe or immature fixes stay in issue triage until ready.
No build-script approval changes made without review.

npm CVE response

Stop losing engineering time to CVE fire drills.

Bosun starts remediation when advisories land, applies your policy, and gives reviewers the advisory, patch, and proof in one place.

Book a demo See SDLC automation