What can I do if I'm vulnerable?

If possible, the cleanest and best way to address a vulnerability is to upgrade to a vulnerability-free version of the package you’re using. In most cases, disclosed vulnerabilities are fixed shortly after they’re discovered, and all you need to do is upgrade to the relevant version.

If you can’t upgrade, because there is no sufficient direct upgrade available, or because the upgrade includes breaking changes you can’t take on right now, your next best option is to apply a patch. A patch changes the locally installed package file to fix the vulnerability.

  • For Node.js projects, you can apply patches either via a GitHub pull request with fixes, or by running Snyk wizard.
  • Patching is currently not supported for Ruby. You can open a pull request to ignore vulnerabilities that can’t be fixed.