If possible, the cleanest and best way to address a vulnerability is to upgrade to a vulnerability-free version of the package you’re using. In most cases, disclosed vulnerabilities are fixed shortly after they’re discovered, and all you need to do is upgrade to the relevant version.
- For Node.js and Ruby GitHub repos, you can generate a pull request to upgrade.
- For Node.js projects, you can use Snyk’s CLI wizard.
If you can’t upgrade, because there is no sufficient direct upgrade available, or because the upgrade includes breaking changes you can’t take on right now, your next best option is to apply a patch (if one is available). A patch changes the locally installed package file to fix the vulnerability.