Safeguard
Open Source Security

How Snyk patches remediate vulnerabilities that have no a...

How Snyk's patch feature applies targeted code-level diffs to fix vulnerabilities directly in dependencies when no clean upgrade path exists.

Aman Khan
AppSec Engineer
7 min read

In March 2020, researchers disclosed CVE-2020-8203, a prototype pollution flaw in lodash affecting versions up to 4.17.15. A fix eventually landed in 4.17.19, but plenty of projects couldn't just npm install lodash@latest and move on — lodash was often pulled in transitively by other packages that hadn't bumped their own pin yet, and some teams were locked to an older major version for compatibility reasons. This is the exact gap Snyk's patch feature was built to close: instead of waiting for an upstream release or a transitive maintainer to act, Snyk ships a small, targeted code change that neutralizes the vulnerable logic directly inside the dependency already sitting in node_modules. No new package version, no waiting on a maintainer, no forced major-version jump. This post walks through how that mechanism actually works, where it applies, and where its limits are.

What Is a Snyk Patch, Mechanically?

A Snyk patch is a unified diff — the same format git diff produces — that Snyk's security team writes against the specific vulnerable source file(s) inside a dependency, then distributes through Snyk's vulnerability database alongside the advisory for that CVE. Rather than publishing a new package version, Snyk maps the file-level change onto the version(s) of the package actually affected, and stores that mapping as patch metadata tied to the vulnerability ID (Snyk's own identifiers look like SNYK-JS-LODASH-567746, for example). When a project runs snyk protect, the Snyk CLI reads the applicable patches out of the project's .snyk policy file, locates the matching files inside the installed dependency tree, and applies the diff in place — editing the vulnerable function directly rather than swapping out the whole package. The result functions like a manual security backport, except Snyk's team does the work of identifying, isolating, and formatting the fix so it can be applied programmatically instead of by hand.

How Does Snyk Build a Patch When There's No Upstream Release Yet?

Snyk's team derives the patch from the actual code change that resolves the vulnerability, whether or not that change has shipped in a tagged release. In many cases the maintainer has already merged a fix to their source repository — on GitHub, for instance — but hasn't cut a new npm/PyPI release, or the fix only exists on a branch. Snyk's researchers take that underlying code change, adapt it to apply cleanly against the specific older versions still in wide use, and package it as a patch tied to each affected version range. This is why patch availability is often narrower than the vulnerability's overall version range: a patch has to be hand-verified against the exact file layout and surrounding code of each version it targets, so Snyk typically covers the most commonly deployed affected versions rather than every historical release.

When Does Snyk Recommend a Patch Instead of an Upgrade?

Snyk surfaces a patch as a remediation option specifically when a clean upgrade isn't a realistic near-term move — three situations account for most cases. First, when the fix only exists on an unreleased branch or commit and no version number yet contains it, a patch lets a team remediate immediately rather than polling npm for a release that may be weeks out. Second, when the only fixed version available is a new major release with breaking API changes, a patch avoids forcing a migration project just to close a vulnerability. Third, when the package is effectively unmaintained — no commits, no releases, an open issue tracker nobody responds to — a patch may be the only remediation path Snyk can offer at all, since there's no maintainer left to ship a fix. In Snyk's UI and CLI output, these show up as a distinct "Patchable" indicator next to the vulnerability, separate from the "Upgrade to version X" recommendation, and a project can have both options available at once for the same finding.

How Do You Apply and Maintain a Snyk Patch in a Project?

Patches are applied through the snyk protect command, and they're recorded in a .snyk policy file that lives in the project's repository. Running snyk protect (commonly wired into a postinstall npm script) reads the patch entries from .snyk, checks the installed package version against the version ranges each patch targets, and rewrites the matching files inside node_modules if there's a match. Because node_modules is normally rebuilt on every fresh npm install, patches have to be reapplied on every install — this is precisely why teams hook snyk protect into postinstall rather than running it as a one-off command. If a project later upgrades past the patched version range, snyk protect simply skips that patch on the next run since the version no longer matches, so patches are self-limiting: they don't linger after a real upgrade happens. This mechanism has historically been most mature in the npm/Node.js ecosystem, where Snyk's patch tooling originated.

What Are the Limitations of Patch-Based Remediation?

Patches fix the specific vulnerable code path, not the package's overall version state, which means dependency graphs, SBOMs, and vulnerability scanners that key off declared package versions will keep reporting the old, technically-vulnerable version number even after a patch is applied. A patch also only covers the version ranges Snyk's team has explicitly verified it against — a version outside that range, even if closely adjacent, may not have a corresponding patch available, and Snyk will fall back to recommending an upgrade instead. Patches are also inherently reactive and manual: someone on Snyk's side has to notice the fix, adapt it, and test it before it's published, so there's a lag between an upstream fix appearing and a Snyk patch becoming available for it, and not every vulnerability in Snyk's database gets a patch at all — many entries only ever carry an upgrade recommendation. Finally, because a patch changes files inside a dependency post-install, teams relying on immutable or vendored dependency trees, or on build systems that don't run postinstall scripts, need an alternate way to apply the same diff, since snyk protect assumes a standard npm install lifecycle.

How Safeguard Helps

Whichever remediation path a vulnerability ends up needing — an upgrade, a patch, or neither yet — the harder problem is usually knowing it exists and confirming it actually got applied across every repo that carries the dependency. Safeguard's software supply chain security platform continuously inventories dependencies across an organization's codebases, flags which ones carry known vulnerabilities, and tracks remediation status over time so a patch applied in one repo doesn't quietly get missed in the other twelve that pull in the same package. Because patched files don't change the declared package version, Safeguard's scanning is built to avoid the trap of treating an unchanged version string as an unresolved finding when the underlying risk has already been mitigated, and to flag drift when a patch silently stops matching after a dependency bump. For unmaintained packages with no fix and no patch on the horizon, Safeguard surfaces that exposure explicitly as part of ongoing risk tracking, rather than letting it sit invisible in a dependency tree until an audit or an incident forces the question. The goal is straightforward: give security and engineering teams one place to see what's vulnerable, what's already been mitigated, and what still needs a decision — instead of reconstructing that picture manually from scanner output and postinstall scripts.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.