I'm Roman Zabicki. I've spent over 25 years writing software and the last decade focused on application security. I believe the best security is the kind no one has to think about — where the easiest path is already the secure one.
Upgrader
I'm building Upgrader, a tool that automates third-party library upgrades. Point it at your source code and it gives you a pull request with updated code, tests, and screenshots — not just a version bump.
The problem
Library upgrades are painful, so they don't get done very often. When they finally do get done, the gap is so large that the upgrade requires even more time and effort — breaking changes have piled up, and the risk is higher. Because it takes so long, the work needs estimates, which take time to produce, and neighboring teams get dragged in because they'll be impacted by the delays. Everyone from compliance to product to engineering ends up arguing over priority. A huge amount of effort goes into estimating, tracking, and managing this whole effort. The worst part is that this process is so familiar it feels normal. We've developed a pain tolerance for it.
But what if upgrading was so cheap and low-risk that teams just did it all the time, whether there were vulnerabilities or not? No tickets. No SLAs. No estimates. Just always on the latest version. (Ok, ok. Not actually the latest version. Let's upgrade to the latest after a brief cooldown period.)
That's the premise of Upgrader.
This isn't a new observation. In 2018, I wrote Practical Security, a book about security for people who aren't security specialists. The first chapter was about patching — I put it before vulnerabilities, before cryptography, before everything else, because staying current on dependencies is the single highest-leverage thing most teams can do. The advice was right. It didn't help, though, because effort and risk are the real problem, not knowledge.
How it works
Upgrader reads the diffs between library versions along with release notes and migration guides. It uses AI to analyze these changes and generate deterministic code transforms. When those transforms run into problems, AI picks the next steps.
AI does the research. Traditional code does most of the execution. AI cleans up when things go sideways.
AI is an unpredictable genie. So don't fight the predictability fight — cheat. Put the genie in an environment where it can't hurt you. Git access and a library name go in. A pull request comes out. The AI might hallucinate or stumble — doesn't matter. What you get is a PR. Read it, lint it, test it, and if it looks good ship it. Let the genie work its magic. If you don't like the way it granted your wish, the PR is right there — revert it, and then rub the lamp again.
Current status
For now, Upgrader only handles Vue 2 → Vue 3 migrations. It's been tested on ~30 codebases with ~10 upgrading reliably. Actively expanding coverage and working on a hosted version so you can try it without local setup.
But soon, I hope to support more libraries, and eventually more languages.
Why Vue?
Vue 2 reached end of life at the end of 2023 and there are still a massive number of codebases stuck on it. The migration to Vue 3 is notoriously painful — the Composition API, reactivity system changes, removed APIs, template compiler changes. It's a perfect test case because the breaking changes are well-documented but numerous.
The bigger idea
Most of the conversation about AI right now is about cost reduction — producing the same output, preserving the same old problems, just with fewer people. That's the wrong goal. Instead, let's focus on using AI to increase the quality while maintaining the same number of people. Workers are not the enemy.
Almost no one was doing dependency upgrades well before. The labor cost was too high. If AI makes upgrading cheaper, the result isn't replacing the person who did upgrades — there was no such person. The result is that software gets meaningfully more secure.
Get in touch
If you're stuck on a Vue 2 → Vue 3 migration and want to try Upgrader, or if you want to follow along as the project develops, reach out at upgrader@punkgrok.org.