Zorv - Autonomous AI CVE Patcher for Node.js & Python

Bumping vulnerable dependencies (like Dependabot does) is easy. The hard part is when a major upgrade breaks your test suite, and now someone has to manually refactor code. I wanted to automate this with an LLM agent, but I had a massive security constraint: How do you safely execute AI-generated code and run test suites without giving it access to the host runner or environment variables? Here is the architecture I built: The Loop: The agent bumps the dependency, runs the test suite, captures the error log on failure, and feeds it to an LLM to rewrite the breaking API call. It loops up to 10 times until tests pass. The Sandbox: To prevent the LLM (or a malicious package) from executing a directory traversal or exfiltrating env secrets, the entire install/test sequence runs inside a hardened Bubblewrap Linux sandbox built into a Docker image. The Configuration: It's 100% self-hosted. It runs as a single Docker container locally or inside a GitHub Actions pipeline, using your own LLM API keys (OpenAI, Claude, Azure, etc.) so source code never leaves your infrastructure. I ran into some weird issues with WSL2/Docker user namespaces requiring unconfined seccomp profiles, but got it working stably. If you're interested in the setup or the GitHub Action workflow template, let me know. I've packaged it into a CLI tool called Zorv (zorv.openyf.dev). Would love to get feedback on the sandboxing approach or hear how you guys manage automated breaking dependency upgrades!