The standard answer to "how do I prioritize CVE fixes?" is "fix critical first, then high". This is wrong, or at least incomplete. A critical CVE in a build-time-only sub-dependency that is no longer maintained is a different problem from a critical CVE in your authentication library. Triaging them identically is how teams burn weeks fixing the wrong things.
The four axes of real risk
- CVSS severity (the score the CVE comes with): 0–10
- Depth in your dependency tree: 1 (direct) to N (deep transitive)
- Maintainer health of the affected package: actively maintained vs abandoned
- Exploit maturity: PoC public? Active in-the-wild exploitation? (CISA KEV catalogue)
A scoring formula that actually works
The DepTriage scoring formula is intentionally simple — it has to be auditable on paper:
risk = severity_weight × depth_factor × maintainer_factor × exploit_factor
severity_weight = CVSS / 10 (0.0–1.0)
depth_factor = 1.0 if depth==1, 0.7 if 2, 0.5 if 3, 0.3 if 4+ (proxy for reachability)
maintainer_factor = 1.5 if abandoned, 1.0 otherwise (abandoned = no fix coming)
exploit_factor = 2.0 if in CISA KEV, 1.3 if PoC public, 1.0 otherwise
final = round(risk × 100)
The numbers are tunable, not sacred. The point is: you have a single number per CVE that combines four signals, and you sort the report by that number. The top 30 lines are your triage list.
What this looks like in practice
| Package | CVE | CVSS | Depth | Status | Score |
|---|---|---|---|---|---|
| lodash@4.17.15 | CVE-2020-8203 | 7.4 | 1 | maintained | 74 |
| node-uuid@1.4.8 | CVE-2015-8851 | 5.3 | 3 | abandoned | 40 |
| minimist@1.2.5 | CVE-2021-44906 | 9.8 | 4 | maintained | 29 |
| request@2.88.2 | CVE-2023-28155 | 6.1 | 2 | abandoned | 64 |
Notice how request@2.88.2 outranks minimist@1.2.5 despite a lower CVSS — because request is at depth 2 and abandoned, while minimist is deep transitive and still maintained.
What to do with the top 30
- Score 50+ → fix this release
- Score 30–50 → schedule next quarter, document in the SBOM
- Score < 30 → track, no immediate action
Get a scored, sorted triage list from your lockfile
DepTriage applies this formula automatically and exports the result as CSV or CycloneDX SBOM with VEX.
Run a scan →FAQ
EPSS (Exploit Prediction Scoring System) is excellent and DepTriage uses it where available — it answers "is this CVE likely to be exploited in the next 30 days?". CVSS is a prerequisite anyway because EPSS doesn't cover all CVEs.
Yes. KEV is a globally curated list of exploits actively used in the wild, not a US-only thing. EU regulators reference it.
Default to 5.0 (medium). Some advisories omit CVSS or have multiple vectors; pick the worst.