PatchPact

PatchPact is a web app + GitHub/GitLab app that turns dependency upgrades into enforceable, trackable “pacts” between platform teams and product teams. Instead of endless dashboards and ignored alerts, it sets policy-backed deadlines per package (e.g., log4j, OpenSSL, Spring), auto-creates upgrade PRs, and escalates only when teams miss agreed timelines. It maps dependencies to services, owners, and environments, then calculates a simple risk score using CVE severity, exploitability signals, and runtime exposure. The product focuses on workflow: Slack/Jira nudges, exception requests with approvals, and a clear audit trail for compliance. It’s not trying to replace Snyk/Dependabot; it sits on top to make remediation actually happen. Expect hard constraints: it will only work well if repos have decent ownership metadata and CI is healthy enough to validate upgrade PRs.