SupportSnyk LearnAPI referenceProduct updatesSign up for free
Edit

Vulnerability fix types

A fixed vulnerability does not appear in scan results, as it is no longer considered a vulnerability.

Other vulnerability information can include the following:

Fixed in version

This shows the version of the package that no longer has the vulnerability.

Vulnerability card information
Vulnerability card information

Compare the fixed vulnerability card above to one where no fix is available.

License card information
License card information

Fixable

A fixable vulnerability means there is a route within the Project that would bring in the secure version rather than the vulnerable version.

This means that a vulnerability can be both fixable and have a fixed in option.

The easiest way to tell if a vulnerability is fixable in the Snyk app is to look for the "fix this vulnerability" button on the vulnerability card.

Fix this vulnerability button
Fix this vulnerability button

Fixed is showing when the issue is not fixable

The difference here is whether it's looking at direct or transitive dependencies. For direct dependencies, this would mean that fixable is true if a fixed (or secure) version of the package exists anywhere in the system. However, this is not the case for transitive dependencies as they require a direct dependency that can be updated to the fixed (or secure) version of the transitive dependency.

Vulnerability card details
Vulnerability card details

The above is an example of a transitive dependency. The detailed paths section (blue outline in image above) shows that no fix path is available; however, it does show that the vulnerability is fixed in the more recent version unlike the no fix available status seen above. This means that Snyk doesn't have the ability to reach the level that the vulnerability actually exists in this specific Project.

Fixing transitive dependencies

You cannot automatically fix transitive dependencies, or open a Fix PR (see Fix your vulnerabilities) due to their relationships with other components. To avoid breaking changes, Snyk only provides recommendations for this scenario.

To fix a transitive dependency such as this, click on the Vulnerability DB link:

Snyk Vulnerability DB link
Snyk Vulnerability DB link

From the Snyk Vulnerability Database, you can then see fix advice for more information:

Vulnerability Database remediation advice
Vulnerability Database remediation advice

Fixing transitive dependencies through direct dependencies

If Snyk recommends using a direct dependency with the same version as the one used to fix an affected transitive dependency, you can update to a newer version of the transitive by reinstalling the direct dependency.

To illustrate this issue, consider a scenario where a Project relies on [email protected], (direct dependency), which has a vulnerable component called (transitive dependency) [email protected]. Snyk recommends updating react-scripts to the version 5.0.1 to fix the vulnerable component. After the update, the vulnerable package loader-utils is still at the version 2.0.2. This indicates that another package in the Project is preventing the upgrade to a higher version. Reinstalling the [email protected] direct dependency addresses this issue, as you can later upgrade the vulnerable component.

PreviousSnyk Vulnerability DatabaseNextDifferences in Open Source vulnerability counts across environments

Last updated

Was this helpful?