Fix your vulnerabilities

Snyk helps you to fix vulnerabilities, by upgrading the direct dependencies to a vulnerability-free version, or by patching the vulnerability. To apply these fixes, you can use different methods, ranging from manually applying using the Snyk UI, to automatic pull requests opened by Snyk.
To fix a vulnerability with Snyk:

How it works

When a new fixable vulnerability is found, Snyk attempts to open a new pull request on your behalf (in a repository for which we support automatic fix pull requests), or suggests you open one manually based on your settings.
When Snyk automates the fix, we check if there are an existing branch and pull request for the exact fix; if there is, we reopen the existing, already closed pull request on that branch.
When there’s no existing branch and pull request for the issue a new branch and pull request are created.

Fix advice

Once Snyk tests your manifest files, we then provide a summary and detailed advice for vulnerabilities that have fixes available, enabling you to resolve those vulnerabilities in your code with the help of clear suggestions and explanations.
Snyk offers you one of these solutions:
  • an upgrade - an upgrade to the original package
  • Pinning a package - installing a package as a top-level dependency; that is, a specific version of an indirect dependency. This avoids a direct dependency pulling in a vulnerable version
  • a Snyk precision patch - if an upgrade to fix any of the vulnerabilities in the package is not currently available, Snyk offers patches to fix the issues
The summary area groups advice per package, and is displayed based on the best available fix. Advice in these summary lists includes these details per package:
  • All vulnerability names and severity details affecting that package
  • The recommended fix - a link to the recommended fix for this package and its listed vulnerabilities: either the specific version to which to upgrade or the name of the patch

Actionable advice from our app

From our app, for each tab (upgrade and patch) in the fix advice area of your project details, results are displayed as follows:
  • the total number of packages that can be fixed is displayed on the tab title
  • in groups of vulnerabilities by package, entitled by the upgrade or fix that’s recommended
  • packages can be expanded in order to view the full list of vulnerabilities affecting the package
  • All the vulnerabilities found in your dependencies are displayed further below, together with contextual information that can help you prioritize the issues and start fixing them if required.
The Fix Advice area appears in the project details page near the top, similar to the following examples:
Upgrade issues tabs
Patchable issues tabs
You can also find additional advice and details further down on the Project details page:
  • from the Issues, tab, a full description per vulnerability
  • from the Dependencies tab, the entire tree of your project dependencies, enabling you to clearly visualize affected paths

Actionable advice from our CLI tool

From the CLI, for each list (upgrade and patch), results are displayed in groups based on the packages we recommend that you fix, and including:
  • details for all vulnerabilities introduced per package; to view all dependency paths affected, use --show-vulnerable-paths=all when running snyk test or snyk monitor
  • links to full descriptions of each vulnerability
Upgrade and patch results appear similar to the following:
Patch recommendations with some and with all paths:
© 2022 Snyk Limited