Assess the issue, and weigh up risk against effort. If the risk is high, you could remove the dependency.
Both Snyk CLI and the GitHub integration allow you to ignore the vulnerability for 30 days.
Fixing Vulnerabilities
- Snyk changed the "resolved" URL's in my Lock file
- Cannot create a Fix PR
- When I can choose, how should I decide whether to upgrade or patch?
- What if there is no upgrade or patch available?
- What is a Snyk Patch?
- What can I do if I'm vulnerable?
- Is it possible that a fix pull request could introduce new vulnerabilities?
- Can patching break my code?
- How are Snyk patches created?
- How are Snyk patches tested?