Autonomous CVE Patching with Coni Agent Studio
Building a multi-agent orchestration system from scratch often means dealing with endless layers of complexity: orchestrating interpreters, managing external tool executions, and wrangling the rigid schema constraints of external LLM APIs.
But Coni is the answer to complexity.
With Coni Agent Studio, we’ve built a streamlined, native orchestration layer where agents don’t just chat—they act, execute, and solve real-world engineering problems autonomously.
To demonstrate the power of this system, we built an end-to-end swarm dedicated to one of the most tedious tasks in software engineering: Javascript Dependency Security and CVE Patching.
Here is how Coni Agent Studio handles it autonomously.
The Swarm Orchestrator
At the core of the system is the Swarm Orchestrator. Powered by an LLM like OpenAI’s gpt-4o-mini, the Orchestrator’s sole job is to break down high-level user goals and delegate them to specialized, narrowly-focused worker agents.
When you give the Orchestrator a prompt like:
“Scan package.json for CVEs using OSV.dev, propose fixes for lodash and axios, run npm install, and commit the results.”
The Orchestrator instantly formulates a plan and dispatches the JS CVE Scanner agent to the repository.
Autonomous Discovery and API Integration
The JS CVE Scanner is equipped with a specific set of tools: tool-shell, tool-cat, and tool-http.
- Local Context: It begins by using
tool-shellto read the target project’spackage.json, extracting bothdependenciesanddevDependencies. - External Intelligence: It then formats a batch payload and uses
tool-httpto hit the OSV.dev vulnerability API. Thanks to Coni’s nativesys-http-requestbindings, the agent can seamlessly execute complex POST requests, handling headers and JSON payloads natively without breaking out of the sandbox.
Analysis and Reporting
Once the OSV API returns the vulnerability data, the agent analyzes the results. It maps the installed versions against the vulnerable ranges, extracting critical information:
- The specific CVE IDs (e.g., CVE-2019-10744 for lodash)
- The CVSS Severity scores
- The exact versions where the vulnerabilities were fixed
Auto-Remediation and Git Integration
The magic of Coni Agent Studio is that it doesn’t just stop at reporting. The agent takes the intelligence it gathered and moves to remediation:
- It uses its file-editing tools to surgically bump the vulnerable versions in
package.jsonto their safe counterparts. - It executes
npm installvia the shell to regenerate thepackage-lock.json. - It adds comments directly into the source code (
index.js) noting exactly which CVEs were resolved and why the bumps occurred. - Finally, it uses git tools to stage the modifications and autonomously generate a detailed commit message outlining the security patches.
The Result
What used to require a developer running npm audit, manually cross-referencing CVE databases, editing files, and testing builds is reduced to a single prompt.
By unifying the interpreter, the standard library, and LLM tooling constraints into a single cohesive runtime, Coni Agent Studio transforms the complexity of multi-agent engineering into pure, actionable simplicity.