Sometimes there is no direct upgrade that can address the vulnerability or an upgrade is not possible due to functional reasons (e.g. it’s a major breaking change).For such cases Snyk can help you protect your code with patches. This option will make the minimal modifications to your locally installed
node_modulesfiles to fix the vulnerability. It will also update the policy to patch this issue when running snyk protect.
Patching is currently supported for Node.js projects only.
Patches are applicable in the following scenarios:
When there is no upgrade available for the direct dependency
When there is no way of upgrading a direct dependency to get to a vulnerability free version of a transitive dependency.
When an upgrade would render the package incompatible with the current codebase.
Patches are available via the source code integrations and the Snyk CLI.
Patches are created and maintained by Snyk. If the package owner has made code changes to fix the issues, our patch is based on this official fix, and we remove any cosmetic or unrelated changes. If a package owner has not addressed the vulnerability yet, we write a patch from scratch.
Before releasing it, we verify the patch, backport it to older versions, and test that the patch hasn’t broken functionality.
The patches are a part of Snyk’s open source vulnerability database, so you can check them out before applying them. For example, the patches for the ms ReDoS vulnerability. We don’t have patches for every case - if you need one that’s missing, let us know.
Snyk creates patches for high impact vulnerabilities, a vulnerability is determined as high impact if it is a serious vulnerability in a popular package that affects many users.
The Snyk Security team creates the patch usually by backporting a fix that has been added to the dependency. Backporting is the action of taking a fix that was built for a particular version of a piece of software, and applying it to a previous version of that software, by updating it to be functionally identical but with the fix for the vulnerability applied. For more information take a look at Redhat’s description of Backporting Security Fixes.
Once the patch is created by a Snyk Security Engineer it is reviewed by 2 other members of the team. The patch is also tested in the following ways
The package is built and tested using the packages automated tests
Packages or applications that use that patched package are tested using their automated tests.
Custom tests are created and run by the Snyk Security team
All patches are available for download and review by the community and we welcome any feedback.
For unmaintained packages, we will create a patch and open a pull request to the project for it to be merged.
If you use the Snyk CLI to fix your vulnerable Node.js project by running
snyk wizard and choose to apply a patch then following two things will happen:
snykwill be added as a production dependency of the project
postinstallhook will be added to run
yarn installthen the hook can trigger
snyk protectto run and patch the necessary dependencies, on completion you will see a success message in the output:
> snyk protect
Successfully applied Snyk patches
snyk protect is the way to repeatedly apply patches, it needs to be run every time you re-install your dependencies. Common integration points would be in your CI/CD (build system or deployment system), and adding it as a post-install step in the
When you choose to use a patch to fix a vulnerability,
snyk is added as a dependency and a
.snyk file is created which contains the list of patches to apply.
.snyk file contains the details of the patch per individual path to the dependency as it may appear in multiple locations in the
node_modules, for example:
'npm:negotiator:20160616': - errorhandler > accepts > negotiator: patched: '2017-05-05T12:39:16.961Z'