UNPKG

@snyk/protect

Version:

Snyk protect library and utility

github.com/snyk/snyk

snyk/snyk

79 lines (56 loc) 2.66 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# @snyk/protect [![npm](https://img.shields.io/npm/v/@snyk/protect)](https://www.npmjs.com/package/@snyk/protect) [![Known Vulnerabilities](https://snyk.io/test/github/snyk/snyk/badge.svg)](https://snyk.io/test/github/snyk/snyk) ![Snyk](https://snyk.io/style/asset/logo/snyk-print.svg) Patch vulnerable code in your project's dependencies. This package is officially maintained by [Snyk](https://snyk.io). ## Usage You don't typically need to add the @snyk/protect dependency manually. It'll be introduced when it's needed as part of [Snyk's Fix PR service](https://support.snyk.io/hc/en-us/articles/360011484018-Fixing-vulnerabilities). To enable patches in your Fix PRs: - Visit https://app.snyk.io - Go to "Org Settings" > "Integrations" - Choose "Edit Settings" under your SCM integration. - Under the "Fix Pull Request" section, ensure patches are enabled. Snyk will now include patches as part of its Fix PRs for your project. ## How it works If there's a patch available for a vulnerability in your project, the Fix PR: - Adds a `patch` entry to your `.snyk` file. - Adds `@snyk/protect` to your `package.json`'s dependencies. - Adds `@snyk/protect` to your `package.json`'s [`prepare` script](https://docs.npmjs.com/cli/v7/using-npm/scripts). ```patch { "name": "my-project", "scripts": { + "prepare": "npm run snyk-protect", + "snyk-protect": "snyk-protect" }, "dependencies": { + "@snyk/protect": "^1.657.0" } } ``` Now after you run npm install, @snyk/protect will automatically download each patch configured in your .snyk file and apply them to your installed dependencies. ## Migrating from `snyk protect` to `@snyk/protect` `@snyk/protect` is a standalone replacement for `snyk protect`. They both do the same job, however: - `@snyk/protect` has zero dependencies. - You don't need to include `snyk` in your dependencies (which is a much larger package with many dependencies). If you already have Snyk Protect set up, you can migrate to `@snyk/protect` by applying the following changes to your `package.json`: ```patch { "name": "my-project", "scripts": { "prepare": "npm run snyk-protect", - "snyk-protect": "snyk protect" + "snyk-protect": "snyk-protect" }, "dependencies": { - "snyk": "^1.500.0" + "@snyk/protect": "^1.657.0" } } ``` We have also created the [@snyk/cli-protect-upgrade](https://www.npmjs.com/package/@snyk/cli-protect-upgrade) npx script which you can use to update your project automatically. To use it, `cd` to the location containing the package.json to be updated and run: ``` npx @snyk/cli-protect-upgrade ``` --- Made with 💜 by Snyk