{"id":13809892,"url":"https://github.com/asos/snyker","last_synced_at":"2026-03-09T10:35:38.824Z","repository":{"id":45383236,"uuid":"421437571","full_name":"ASOS/snyker","owner":"ASOS","description":"An opinionated, heavy-handed wrapper around Snyk. ","archived":false,"fork":false,"pushed_at":"2024-12-03T11:58:21.000Z","size":94,"stargazers_count":8,"open_issues_count":1,"forks_count":1,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-05-08T15:18:14.885Z","etag":null,"topics":["cli","security","snyk","snyk-cli","vulnerabilities","vulnerable-paths"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ASOS.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"docs/CODEOWNERS","security":null,"support":null}},"created_at":"2021-10-26T13:31:55.000Z","updated_at":"2025-01-30T15:05:22.000Z","dependencies_parsed_at":"2022-09-06T06:52:31.576Z","dependency_job_id":null,"html_url":"https://github.com/ASOS/snyker","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ASOS%2Fsnyker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ASOS%2Fsnyker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ASOS%2Fsnyker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ASOS%2Fsnyker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ASOS","download_url":"https://codeload.github.com/ASOS/snyker/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254120624,"owners_count":22018024,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","security","snyk","snyk-cli","vulnerabilities","vulnerable-paths"],"created_at":"2024-08-04T02:00:38.925Z","updated_at":"2026-03-09T10:35:38.767Z","avatar_url":"https://github.com/ASOS.png","language":"JavaScript","funding_links":[],"categories":["Snyk CLI, Plugins, Extensions, Filters"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003ch1 align=\"center\"\u003eSnyker\u003c/h1\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\nAn opinionated CLI wrapper around \u003ca href=\"https://snyk.io/\"\u003eSnyk\u003c/a\u003e for purging vulnerabilities from Node projects\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n   \u003ca href=\"https://github.com/asos/snyker/tags/\"\u003e\u003cimg src=\"https://img.shields.io/github/tag/asos/snyker\" alt=\"Current version\" /\u003e\u003c/a\u003e\n   \u003cimg src=\"https://github.com/asos/snyker/workflows/Test/badge.svg\" alt=\"Current test status\" /\u003e\n   \u003ca href=\"http://makeapullrequest.com\"\u003e\u003cimg src=\"https://img.shields.io/badge/PRs-welcome-brightgreen.svg\" alt=\"PRs are welcome\" /\u003e\u003c/a\u003e\n   \u003ca href=\"https://github.com/asos/snyker/issues/\"\u003e\u003cimg src=\"https://img.shields.io/github/issues/asos/snyker\" alt=\"snyker issues\" /\u003e\u003c/a\u003e\n   \u003cimg src=\"https://img.shields.io/github/stars/asos/snyker\" alt=\"snyker stars\" /\u003e\n   \u003cimg src=\"https://img.shields.io/github/forks/asos/snyker\" alt=\"snyker forks\" /\u003e\n   \u003cimg src=\"https://img.shields.io/github/license/asos/snyker\" alt=\"snyker license\" /\u003e\n   \u003ca href=\"https://github.com/asos/snyker/graphs/commit-activity\"\u003e\u003cimg src=\"https://img.shields.io/badge/Maintained%3F-yes-green.svg\" alt=\"snyker is maintained\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n  \u003ci\u003eYou're not you when you've got hundreds of vulnerable paths\u003c/i\u003e\n\u003c/p\u003e\n\n---\n\n## Getting Started\n\n```bash\n# Start fixing vulnerabilities straight away using NPX\nnpx @asos/snyker\n\n# Add to your global NPM packages\nnpm i -g @asos/snyker\n\n# Or to your global Yarn packages\nyarn global add @asos/snyker\n```\n\n## About\n\nThe Snyk CLI is great for reporting vulnerabilities and providing top level dependency upgrades and patches, but struggles when the vulnerability rests within a nested \"transitive\" sub-dependency. This is despite the fact that many sub-dependencies have reasonable flexibility in the version ranges they allow for their own dependencies.\n\nThis CLI takes a brute-force approach to solving this limitation of Snyk. It purges the `.snyk` file from a project, checks for vulnerable paths using Snyk, then forces `yarn` / `npm` to try to upgrade any dependency along the vulnerable paths before finally ignoring any vulnerability that cannot be fixed in the previous steps. If a patch is available for any outstanding vulnerability then it is also added to the Snyk policy.\n\nNote that this tool obeys your defined package version ranges and therefore can't fix anything that requires a major upgrade if you are only permitting minor or patch upgrades.\n\nThis tool also does not make use of Snyk's ability to perform package major upgrades. It will simply ignore vulnerabilities that cannot be fixed in the aforementioned steps. _It is on you to sanity check anything that this tool decides to ignore._\n\nSnyker will list the known vulnerabilities it has been unable to fix. If Snyk reports that there are major upgrades available to fix one or more of the outstanding vulnerabilities, Snyker will output a recommended `yarn` / `npm` command for performing the upgrade(s).\n\nIt is recommended that you use this tool alongside the official Snyk CLI, not replace it completely.\n\n## Usage\n\n### Options\n\n```console\nsnyker --retries 3 --lockfile package-lock.json --preserve-integrity\n```\n\n| Flag                   | Description                                                              | Default     |\n| ---------------------- | -------------------------------------------------------------------------| ----------- |\n| `--lockfile \u003cstring\u003e`  | Specify the lockfile to use (e.g. `yarn.lock` or `package-lock.json`).   | Attempts to find a `yarn.lock` or `package-lock.json` then defaults to `yarn.lock` |\n| `--retries \u003cint\u003e`      | Will set the number of times to retry logical steps of Snyker.           | `2`         |\n| `--preserve-integrity` | Will not attempt to update integrity hash when `sha1` is used. \\*        | `false`     |\n\n\u003e \\* It is highly recommended to use `sha512` for the integrity hash algorithm which is default for `npm`. However, when using private repositories such as Azure Artifacts, they do not support anything other than `sha1`. In turn, if the integrity is removed, the subsequent `npm install` command does not re-instate these. This flag is a workaround for this issue.\n\n## Alternatives\n\n### Snyk Pull Requests\n\n[Snyk supports a pull or merge request integration](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests) for your source control repositories which can upgrade your dependencies based on scan results.\n\nThis behaves similar to Snyker in providing a capability to upgrade dependencies, but is not available as a CLI and does not bundle ignore behaviours at the same time.\n\n### Snyk Ignore\n\nThe Snyk CLI supports a [`snyk ignore` command](https://github.com/snyk/cli/blob/main/help/cli-commands/ignore.md) to ignore a stated issue according to its snyk ID for all occurrences, its expiry date, a reason, or according to paths in the filesystem.\n\nThis commands does not perform any dependency upgrades and requires you to manually look up the vulnerability's ID to execute the correct ignore command.\n\nSnyker currently includes the `snyk ignore` capability as part of it's process.\n\n### Snyk Protect\n\nSnyk supports a separate [`@snyk/protect`](https://github.com/snyk/cli/tree/main/packages/snyk-protect#readme) CLI, replacing the older `snyk protect` command for patching vulnerable dependencies.\n\nThe Snyker maintainers generally advise against the usage of closed source patches for your dependencies.\n\n### Snyk Fix\n\nSnyk has released a [closed beta](https://docs.snyk.io/getting-started/snyk-release-process#closed-beta) [`snyk fix` command](https://docs.snyk.io/snyk-cli/scan-and-maintain-projects-using-the-cli/automatic-fixing-with-snyk-fix) that aims to automatically apply the recommended updates, but this is currently only available for Enterprise customers using Python.\n\n### Snyk Wizard\n\nSnyk used to support a `snyk wizard` command which would perform dependency upgrades and policy ignores [but this was removed on 31 March 2022](https://updates.snyk.io/snyk-wizard-and-snyk-protect-removal-224137).\n\n## Contributing\n\nPlease check out the [CONTRIBUTING](./docs/CONTRIBUTING.md) docs.\n\n## Changelog\n\nPlease check out the [CHANGELOG](./docs/CHANGELOG.md) docs.\n\n---\n\n## License\n\nSnyker is licensed under the [MIT License](./LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fasos%2Fsnyker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fasos%2Fsnyker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fasos%2Fsnyker/lists"}