ProGet 2026 is now available!

This major release introduces the Package Vulnerability Rating System (PVRS); a fundamentally new approach to vulnerability management, helping organizations move beyond theoretical severity scores and focus on what actually matters: whether a vulnerability poses real risk in their environment and what action should be taken.

OSS dependencies now make up the vast majority of modern applications, and with them comes a stream of vulnerability alerts. We’ve seen these alerts often be treated according to CVSS scores based on worst-case-scenario exploits. These would trigger automated upgrades and urgent remediation efforts even when the vulnerabilities have little or no practical impact. This has resulted in a cycle of alert fatigue, unnecessary dependency updates, regressions, and slowed delivery.

Sound familiar?

ProGet 2026 was designed to break that cycle, introducing a range of new features that provide clear, context-aware guidance. The aim is to help teams prioritize vulnerabilities based on real-world risk rather than abstract severity.

Alongside this release, we’ve also published Vulnerability Management Done Right with ProGet, a practical guide that explains the concepts behind these new features and how to use them effectively.

What’s New in ProGet 2026

Most vulnerability tools report CVSS scores and severity ratings, but those numbers alone don’t indicate:

• Whether a vulnerability actually affects your application
• What action should be taken.

ProGet 2026 addresses this by evaluating vulnerabilities in the context of your environment and translating that analysis into clear, actionable guidance through several new features:

⭐ PVRS Categories

ProGet now assigns vulnerabilities according to the Package Vulnerability Rating System (PVRS). This is shown as a range of categories from 1 to 5 based on real-world risk.

These categories provide clearer prioritization than raw severity scores alone, helping teams understand what deserves immediate attention and what can be safely monitored.

⭐ Risk Profiles

Risk Profiles allow organizations to define how vulnerabilities should be evaluated based on their own environment and application usage.

Rather than applying generic assumptions, ProGet can consider how a dependency is deployed, whether vulnerable functionality is exposed, and what operational impact an exploit could have.

⭐ Assessment Types

Each vulnerability is assessed as either “Monitor”, “Remediate” or “Contain”, that correspond to a specific response.

This turns vulnerability data into practical guidance rather than simply surfacing alerts.

Custom Assessments and Alerts

Organizations can override and customize assessment types, as well as control which vulnerability alerts are shown or suppressed. This allows teams to align ProGet’s guidance with their internal policies, workflows, and risk tolerance.

Together, these new features help teams focus on vulnerabilities that actually require action. Instead of responding to every alert with an immediate upgrade, organizations can:

• Prioritize vulnerability remediation based on real-world risk
• Reduce unnecessary regressions
• Minimize alert fatigue
• Improve development velocity
• Respond with greater confidence

The result is a more effective and sustainable approach to managing OSS vulnerabilities.

📚 New Guide: Vulnerability Management Done Right with ProGet

To help teams understand the thinking behind these new capabilities, we’ve also published Vulnerability Management Done Right with ProGet. This guide explains:

• The importance of differentiating vulnerabilities and exploits
• Why CVSS scores alone are often insufficient
• How to use PVRS to understand the context of a vulnerability’s real-world risk
• How to “Monitor”, “Remediate”, or “Contain” vulnerabilities
• How to customize assessments for your environment
• …and much more!

The guide provides a practical framework for reducing unnecessary upgrades and making more informed decisions about open-source risk.

Available Now

ProGet 2026 is available now by either install or upgrade through InedoHub

By shifting the focus from theoretical severity to real-world impact, ProGet now helps teams spend less time reacting to alerts and more time addressing the issues that truly matter.