The Snyk security team creates the patch usually by backporting a fix which has been added to the dependency. Backporting is the action of taking a fix that was built for a particular version of a piece of software, and applying it to a previous version of that software, by updating it to be functionally identical but with the fix for the vulnerability applied. For more information take a look at Red Hat's description https://access.redhat.com/security/updates/backporting
Fixing Vulnerabilities
- Snyk changed the "resolved" URL's in my Lock file
- Cannot create a Fix PR
- When I can choose, how should I decide whether to upgrade or patch?
- What if there is no upgrade or patch available?
- What is a Snyk Patch?
- What can I do if I'm vulnerable?
- Is it possible that a fix pull request could introduce new vulnerabilities?
- Can patching break my code?
- How are Snyk patches created?
- How are Snyk patches tested?