# Upgrading vulnerable packages with pkgng



## frijsdijk (Dec 22, 2014)

Hi,

On a system that's installed with packages only using FreeBSD repositories (no ports compiled - but should it matter?), say some day a port becomes vulnerable (`pkg audit`).

Can I then wait for an updated version of this package, and when it's there, let pkg fix it for me with a simple `pkg install [I]vulnerable port[/I]` to only update that port.

It seems not, because on several systems I have, doing this will either break the port itself, or ports that depend on the previous version's shared libs. You would assume that pkg knows about the shared libs, and if they differ between versions, it should suck in the deps as well.

Is then a `pkg upgrade` the only way to do such updates?


----------



## DutchDaemon (Dec 22, 2014)

From the manual, I'd say that the -R flag is worth a shot.


----------

