Why has Snyk been added as a dependency in my project?

The reason we add Snyk as a dependency in some fix PRs is so that we can apply patches.

We need to run snyk protect after installation of dependencies so that the patches are applied (removing vulnerabilities where no upgrade is available or you didn't want to update the package to a later version).

If you do not want to apply patches on automatic pull requests you can disable them by going to 

  • Settings
  • Integrations
  • GitHub 'Edit Settings'
  • Uncheck the checkbox 'Include patches to vulnerable dependencies'

null