About fixes
Snyk fix advice for Open Source dependencies suggests the least disruptive upgrade possible that fixes the issue. The fix may be recommended higher in the dependency tree than the vulnerable package itself.
Sample dependency tree with recommended fix
When you open a Fix PR for an issue from Snyk, Snyk makes the recommended upgrade to the vulnerable package.
Sample file changed from Snyk Fix PR in GitHub
If an upgrade requires a major version change, Snyk notifies you that it may be a breaking change with a warning symbol. The Snyk security team creates and tests patches for some vulnerabilities. If an upgrade would potentially be a breaking change, or if you have other reasons for not upgrading, a patch can be an acceptable alternative.
Always weigh the risk of the vulnerability against the effort involved.
Copy link