Articles

Snyk Open Source: Scan and Fix Vulnerable Dependencies (2026)

April 18, 2026 4 min read

Snyk’s ability to automatically fix vulnerable dependencies is often misunderstood; it doesn’t magically rewrite code, but rather orchestrates dependency updates based on semantic versioning rules.

Let’s see Snyk in action. Imagine a simple Node.js project with a package.json file:

{
  "name": "my-vulnerable-app",
  "version": "1.0.0",
  "dependencies": {
    "lodash": "^4.17.10",
    "express": "^4.16.4"
  }
}

After running npm install, we have our dependencies locally. Now, let’s scan for vulnerabilities using Snyk:

snyk test

Snyk will analyze package-lock.json (or npm-shrinkwrap.json) and compare the exact versions of your dependencies against its vulnerability database. Suppose it finds a critical vulnerability in lodash version 4.17.10, specifically CVE-2020-8203. The output might look something like this:

Testing /path/to/my-vulnerable-app...

✗ High severity vulnerability found in lodash
  Description: Prototype Pollution in lodash
  Info: https://security.snyk.io/vuln/SNYK-JS-LODASH-1018905
  Introduced through: lodash@4.17.10
  From: lodash@4.17.10
  Remediation:
    Upgrade lodash to version 4.17.21 or higher.
    Run "snyk wizard" for interactive upgrade or "snyk fix" for automatic upgrade.

The "fix" part isn’t about Snyk patching the lodash source code itself. Instead, Snyk leverages your project’s dependency management system (npm, yarn, etc.) and the semantic versioning (SemVer) rules defined in your package.json.

The core problem Snyk solves is the silent integration of vulnerable code into your application. Developers often update dependencies without a deep dive into each one’s security posture, leading to a false sense of security. Snyk automates this security check and provides a path to remediation.

Internally, Snyk does a few key things:

  1. Dependency Tree Analysis: It parses your project’s lock file (e.g., package-lock.json) to build an exact representation of your dependency tree, including transitive dependencies.
  2. Vulnerability Matching: It compares the exact versions of every package in your tree against its continuously updated vulnerability database.
  3. Patch Identification: For each vulnerability, Snyk identifies the minimum version of the affected package that resolves the vulnerability. This is where SemVer is crucial. Snyk knows that a patch version (e.g., 4.17.11 from 4.17.10) is a safe, backward-compatible update. A minor version (e.g., 4.18.0) might also be safe, but Snyk prioritizes the smallest possible change to minimize disruption. Major version bumps (e.g., 5.0.0) are generally not considered safe automatic fixes because they often introduce breaking changes.

Now, let’s use the snyk fix command to address the lodash vulnerability.

snyk fix

Snyk will look at the lodash vulnerability and determine the safest, smallest version update that addresses it. In this case, it’s 4.17.21. The snyk fix command will then:

  1. Update package.json: It modifies the lodash entry to point to the new, safe version. If the original range was ^4.17.10, it might become ^4.17.21. If it was a direct version 4.17.10, it might update to 4.17.21.
  2. Update Lock File: It runs the appropriate package manager command (npm update or yarn upgrade) to fetch the new version and update the lock file (package-lock.json or yarn.lock) to reflect the exact installed version.
  3. Re-test: It runs snyk test again to confirm the vulnerability is gone.

After running snyk fix, your package.json might look like this:

{
  "name": "my-vulnerable-app",
  "version": "1.0.0",
  "dependencies": {
    "lodash": "^4.17.21",  // Updated range
    "express": "^4.16.4"
  }
}

And your package-lock.json would be updated to reflect lodash version 4.17.21. The mechanical reason this works is that Snyk instructs your package manager to perform a version update within the constraints of your existing SemVer ranges. It’s not changing your code; it’s changing the declared and installed versions of your dependencies.

The critical detail Snyk handles is understanding the SemVer compatibility of the suggested fix. It won’t suggest upgrading lodash: "^4.17.10" to 5.0.0 automatically, even if 5.0.0 fixes the vulnerability, because a major version bump implies potential breaking changes. It will stick to patch or minor versions unless explicitly told otherwise or if no compatible patch/minor version exists.

The next error you’ll likely hit after fixing this dependency vulnerability is a new one discovered in another package, or perhaps a runtime error if the auto-fix introduced an unexpected compatibility issue with a transitive dependency that Snyk’s static analysis didn’t fully capture.

Want structured learning?

Take the full Snyk course →