At Microsoft, Python has long been one of our most popular programming languages. Our developers use it for building production systems, internal tools, automation workflows, and more. We estimate that at least 67,000 employees use it every day.
At that scale, Python dependencies have emerged as a significant source of risk for us—representing the third-largest vulnerability surface across the company.
The good news is that we have strong visibility into these vulnerabilities, with tools that continuously detect and surface risks across our codebases. The bad news is that turning those insights into action required a complex remediation process.
Updating a single code package often caused changes across multiple interdependent libraries. This required coordinated updates, validation, and testing to maintain system stability.
“When AI arrived, I saw it as a great opportunity to finally fix a very complex problem we had: The level of entanglement involved in Python code dependencies. A simple script wasn’t going to resolve it—you needed the power of AI.”
Humberto Arias, senior product manager, Microsoft Digital
Multiply this by thousands of projects throughout our enterprise, and vulnerabilities accumulated much faster than we could resolve them. To address this challenge, we turned to AI.
Microsoft Digital—the company’s IT organization—has developed an AI-powered solution called Python Dependency Remediation. Designed to work directly within the developer workflow, this solution analyzes dependency chains, applies required updates, and automatically adjusts the code. This enables our engineers to remediate vulnerabilities quickly and consistently at enterprise scale.
“I’ve worked for years in the vulnerability management space at Microsoft,” says Humberto Arias, a senior product manager in Microsoft Digital. “When AI arrived, I saw it as a great opportunity to finally fix a very complex problem we had: The level of entanglement involved in Python code dependencies. A simple script wasn’t going to resolve it—you needed the power of AI.”
The tool has shown so much promise that we have begun releasing it externally, so that millions of Python developers around the world can take advantage of it.
“I used to have this problem all the time. I upgrade one library, and then I’ve got to upgrade 17 other things, and something else breaks, and now my code is completely different.”
Rich Chiodo, principal software engineer, Python and Tools for AI
Get started
Flexibility leads to dependencies and risk
Python is a very flexible language, which is why it’s so popular among software developers. But that same flexible nature—it can be used across a wide range of scenarios—also means it forms deeply interconnected dependency chains. When one code library is updated, it can trigger changes across many others.
“I used to have this problem all the time,” says Rich Chiodo, a principal software engineer on the team responsible for Python Tools and AI. “I upgrade one library, and then I’ve got to upgrade 17 other things, and something else breaks, and now my code is completely different.”
“Developers avoid the upgrades because the dependency web is so complex. This means the vulnerabilities accumulate over time and can become a real security risk.”
Chintan Sheth, principal engineering manager, Viva Glint
Because the code is so interdependent and remediation is time-consuming, many developers skip updating their code packages, which can lead to security vulnerabilities.
Security compliance was often seen as a burden because it slows people down.
“Developers avoid the upgrades because the dependency web is so complex,” says Chintan Sheth, a principal engineering manager on the Viva Glint product team. “This means the vulnerabilities accumulate over time and can become a real security risk.”
“After my manager mentioned it, I reviewed the idea on the hackathon page, and it looked really interesting to me. So I jumped in, and we created a prototype and a demo video with a quick solution. That’s how it started.”
Shiva Krishna Gollapelly, senior software engineer, Microsoft Digital
Hacking our way to a solution
Like some of the best internally developed tools and processes, Python Dependency Remediation came out of a Microsoft hackathon project. These grassroots events allow our engineers to tackle interesting technical challenges in a collaborative, creative way.
“After my manager mentioned it, I reviewed the idea on the hackathon page, and it looked really interesting to me,” says Shiva Krishna Gollapelly, a senior software engineer in Microsoft Digital and the lead developer on the project. “So I jumped in, and we created a prototype and a demo video with a quick solution. That’s how it started.”
The fact that this solution came from a hackathon highlights the ideas-driven culture that we promote at the company.
“This really speaks to our special culture of innovation,” says Snigdha Bora, a principal group engineering manager for Employee Experience. “After this emerged from the hackathon, our developers realized it could solve a problem at scale—that it was worth taking through the full development cycle so we can release it for all of Microsoft, and maybe beyond.”
Solving the issue with one click (and AI)
Because the challenge was not detecting vulnerabilities but fixing them, we had to rethink how we addressed Python dependencies.
“The extension automatically finds the right updates and then fixes the vulnerabilities, so developers don’t need to do the research, the manual upgrades and fixes, run test cases, debugging—all those things that used to take so much time. With our solution, it’s just one button click and it does all of that automatically.”
Shiva Krishna Gollapelly, senior software engineer, Microsoft Digital
In the past, when engineers received a vulnerability notification, they would have to step outside their development workflow and address the issue. What was needed was a solution that could be enacted within their normal workflow—integrating remediation directly into the tools they were already using.
So, we created the Python Dependency Remediation extension for Visual Studio Code, a common Python development environment. Once installed, engineers can address vulnerabilities in the flow of their work.
“The extension automatically finds the right updates and then fixes the vulnerabilities, so developers don’t need to do the research, the manual upgrades and fixes, run test cases, debugging—all those things that used to take so much time,” Gollapelly says. “With our solution, it’s just one button click and it does all of that automatically, with the help of AI.”
The extension uses the APIs built into Visual Studio Code to connect with any AI model the user has access to. (If there is no AI model available, Gollapelly explains, the extension will still make the package updates but won’t do the remediation fixes to the code.) It also produces a report of the changes for the developer to review in case there’s a snag that needs troubleshooting.
“This tool removes a significant burden from our developers,” Bora says. “We are shifting the entire remediation process left, embedding it early in the development workflow. Developers can review the changes and move forward immediately, making the whole process more efficient.”
“We’ve upgraded the library with new methods, calls, and structures. Now, let’s make sure everything works, check for errors in the code, etc. That’s the gap we’re bridging with AI.”
Angel Saldivia, software engineer, SharePoint
The result is that fixes and upgrades that used to take multiple hours of developer time now take minutes, and the code is much more reliable.
What the agent does in this solution is help close that loop, something that the engineer used to have to do.
“We’ve upgraded the library with new methods, calls, and structures,” says Angel Saldivia, a software engineer on the SharePoint product team. “Now, let’s make sure everything works, check for errors in the code, etc. That’s the gap we’re bridging with AI.”
From Customer Zero to global impact
One of the powerful things about working at Microsoft is that you get to help develop technology tools that can change the world. This is the case with Python Dependency Remediation as well.
“We realized this technology had much broader value. There are hundreds of millions of Python users worldwide, so the impact could be massive.”
Snigdha Bora, principal group engineering manager, Employee Experience
As Bora explains, while the solution was being developed it was presented to Guido van Rossum, the creator of Python (and a Microsoft employee). He immediately saw the incredible potential of the concept.
“He suggested that we could take this solution to the world, not just to Microsoft,” Bora says. “We realized this technology had much broader value. There are millions of Python users, so the impact could be massive.”
To help make this happen, Microsoft Digital approached Graham Wheeler, a principal group engineering manager on the Python and Tools for AI team. Wheeler’s team is responsible for shipping Pylance, a development extension for Visual Studio Code used by more than 180 million developers worldwide.
“One of the things we could do was provide a jumping-off point for this extension, so that when users installed Pylance they’d be prompted to also download Python Dependency Remediation. It can help raise awareness, because many users don’t actually do the dependency scanning and updating that they should.”
Graham Wheeler, principal group engineering manager, Python and Tools for AI
Wheeler and his team are in the process of incorporating the Python Dependency Remediation extension as an option during Pylance installation. This will open up a convenient vector for getting the tool in front of a huge audience, potentially revolutionizing Python development.
“One of the things we could do was provide a jumping-off point for this extension, so that when users installed Pylance they’d be prompted to also download Python Dependency Remediation,” Wheeler says. “It can help raise awareness, because so many users don’t actually do the dependency scanning and updates that they should. So, we’re helping with that challenge.”
Beyond Python, the AI-powered technology behind this extension might be applied to other dependency challenges as well. What started as a simple hackathon project could have huge ramifications for the future of software development.
“This solution can easily be adapted to other libraries, other programming languages,” Gollapelly says. “Whether you’re talking about C#, Angular, React, or another language, the concept is the same. The implications are vast.”
Key takeaways
Here are some points to keep in mind if you are thinking about tackling this kind of code-dependency issue at your organization:
- AI can make the difference between simple awareness and actual resolution. We already had strong tools to detect Python vulnerabilities, but AI is what finally enabled remediation at scale across thousands of projects.
- Python’s flexibility is both its strength and its biggest risk multiplier. Deep dependency chains mean that a single update can cascade into widespread breakage, with manual fixes slow and error-prone.
- Automation embedded in the developer workflow is the breakthrough. By integrating directly into Visual Studio Code, Python Dependency Remediation allows developers to fix vulnerabilities with minimal friction—often in just one click.
- AI dramatically compresses remediation time, from hours to minutes. Tasks that once required manual research, testing, and debugging are now handled automatically, improving both speed and code reliability.
- The “shift left” approach is key to efficiency gains. Fixing dependency issues earlier in the development cycle reduces downstream complexity and keeps developers in the flow of their work.
- This innovation has potential far beyond Microsoft—and beyond Python. With the potential for distributing the solution widely and adapting it to other languages, this breakthrough could reshape how developers everywhere manage dependencies.
Try it out
Related links
- Discover how we’re powering the new era of AI-led engineering at Microsoft.
- Read how developers are leading AI transformation across the enterprise.
- Learn how we serve as Customer Zero at Microsoft in an AI-powered world.
- Check out our full guide to governing AI agents at scale across the enterprise.
- See how our hackathon culture is enabling knowledge workers at Microsoft to forge their own AI tools.
