The reason we add Snyk as a dependency in some fix PRs is so that we can apply patches.
We need to run
snyk protect after installation of dependencies so that the patches are applied (removing vulnerabilities where no upgrade is available or you didn't want to update the package to a later version).
For vulnerabilities that have easy solutions like upgrading or locking the version, snyk does this and doesn't need to be added in as a dependency.
But sometimes you'll get a vulnerability on a package that has no known solution, generally we'll contact the repository owner and help them patch/fix the issue but sometimes the repository owner doesn't respond - in these cases, we can't just fork the repository (we'd have to begin maintaining them).
When this happens and we have a patch that can be applied, we add snyk in as a dependency that also needs to run after your packages are installed to apply the patch post-install.
So for instance, let's say
email@example.com has a vulnerability and there is a snyk patch for it. After running
snyk protect you will see two added lines in your dependency file (for supported languages). One will be to add snyk as a dependency, the other will be to run
snyk protect once the install is done.
Now when your re-run
firstname.lastname@example.org will get installed and snyk protect will run and patch it so the vulnerability is no longer there.
Why can’t we just use the global snyk instead?
When your software gets shipped to clients or other environments, they may not have snyk installed thereby missing those vulnerabilities that were patched by snyk on your dev/deployment systems.
So in this manner it's more of a post-install hardening of your codebase.
How can I prevent snyk adding itself as a dependency?
If you do not want to apply patches on automatic pull requests you can disable them by going to
- GitHub 'Edit Settings'
- Uncheck the checkbox 'Include patches to vulnerable dependencies'