npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@asos/snyker

v5.1.0

Published

An opinionated, heavy-handed wrapper around Snyk.

Downloads

154

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

asos-bradleyabelasos-bradleyabelasos-rupeshghelaniasos-rupeshghelaniasos-roberthasos-roberthasos-tonygormanasos-tonygormanasos-danielcasos-danielc

Keywords

snyksecurityvulnerabilities

Readme

Getting Started

# Start fixing vulnerabilities straight away using NPX
npx @asos/snyker

# Add to your global NPM packages
npm i -g @asos/snyker

# Or to your global Yarn packages
yarn global add @asos/snyker

About

The Snyk CLI is great for reporting vulnerabilities and providing top level dependency upgrades and patches, but struggles when the vulnerability rests within a nested "transitive" sub-dependency. This is despite the fact that many sub-dependencies have reasonable flexibility in the version ranges they allow for their own dependencies.

This CLI takes a brute-force approach to solving this limitation of Snyk. It purges the .snyk file from a project, checks for vulnerable paths using Snyk, then forces yarn / npm to try to upgrade any dependency along the vulnerable paths before finally ignoring any vulnerability that cannot be fixed in the previous steps. If a patch is available for any outstanding vulnerability then it is also added to the Snyk policy.

Note that this tool obeys your defined package version ranges and therefore can't fix anything that requires a major upgrade if you are only permitting minor or patch upgrades.

This tool also does not make use of Snyk's ability to perform package major upgrades. It will simply ignore vulnerabilities that cannot be fixed in the aforementioned steps. It is on you to sanity check anything that this tool decides to ignore.

Snyker will list the known vulnerabilities it has been unable to fix. If Snyk reports that there are major upgrades available to fix one or more of the outstanding vulnerabilities, Snyker will output a recommended yarn / npm command for performing the upgrade(s).

It is recommended that you use this tool alongside the official Snyk CLI, not replace it completely.

Usage

Options

snyker --retries 3 --lockfile package-lock.json --preserve-integrity

| Flag | Description | Default | | ---------------------- | -------------------------------------------------------------------------| ----------- | | --lockfile <string> | Specify the lockfile to use (e.g. yarn.lock or package-lock.json). | Attempts to find a yarn.lock or package-lock.json then defaults to yarn.lock | | --retries <int> | Will set the number of times to retry logical steps of Snyker. | 2 | | --preserve-integrity | Will not attempt to update integrity hash when sha1 is used. * | false |

* It is highly recommended to use sha512 for the integrity hash algorithm which is default for npm. However, when using private repositories such as Azure Artifacts, they do not support anything other than sha1. In turn, if the integrity is removed, the subsequent npm install command does not re-instate these. This flag is a workaround for this issue.

Alternatives

Snyk Pull Requests

Snyk supports a pull or merge request integration for your source control repositories which can upgrade your dependencies based on scan results.

This behaves similar to Snyker in providing a capability to upgrade dependencies, but is not available as a CLI and does not bundle ignore behaviours at the same time.

Snyk Ignore

The Snyk CLI supports a snyk ignore command to ignore a stated issue according to its snyk ID for all occurrences, its expiry date, a reason, or according to paths in the filesystem.

This commands does not perform any dependency upgrades and requires you to manually look up the vulnerability's ID to execute the correct ignore command.

Snyker currently includes the snyk ignore capability as part of it's process.

Snyk Protect

Snyk supports a separate @snyk/protect CLI, replacing the older snyk protect command for patching vulnerable dependencies.

The Snyker maintainers generally advise against the usage of closed source patches for your dependencies.

Snyk Fix

Snyk has released a closed beta snyk fix command that aims to automatically apply the recommended updates, but this is currently only available for Enterprise customers using Python.

Snyk Wizard

Snyk used to support a snyk wizard command which would perform dependency upgrades and policy ignores but this was removed on 31 March 2022.

Contributing

Please check out the CONTRIBUTING docs.

Changelog

Please check out the CHANGELOG docs.

License

Snyker is licensed under the MIT License.