Frontend security — thoughts on Snyk

I can’t remember why but few months ago I started looking into keeping my various React projects secure. Here’s some of what I discovered (more to come). I hope some will be valuable to you.

A while ago I discovered Snyk and I hooked it up my various projects with it. Snyk sends me a weekly security summary with the breakdown of various security issues across all of my projects.

This is part of Snyk’s weekly report I receive in my inbox

Snyk also gives me context about the particular security issues found:

This is extremely useful if you want to understand the security issue

It also analyzes my dependencies on a per-PR level:

Safey? Check! — This is a GitHub PR check (like Travis)

Other features that I’ve tried from Snyk:

1. It sends you an email when there’s a vulnerable package (no need to wait for the weekly report)
2. Open PRs upgrading vulnerable packages when possible
3. Patch your code while there’s no published package with a fix

This is a summary for your project — it shows that a PR can be opened

The above features I have tried and I decided not to use them for the following reasons (listed in the same order as above):

1. As a developer I already get enough interruptions in a week. I don’t need to be notified for every single security issue in my dependency tree. My projects don’t deal with anything sensitive, thus, I’m OK with waiting to deal with them at the beginning of the week
2. The PR opened by Snyk does not work well with Yarn since it does not update the yarn.lock file, thus, requirying me to fetch the PR, run yarn install and push it back (This wastes my time)
3. The feature to patch your code (Runtime protection or snyk protect) adds a very high set up cost (1–2 minutes) everytime you need to run yarn install. This is because it analyzes all your dependencies and patches your code in-situ. This gets on the way of my development workflow.

Overall I’m very satisfied with Snyk and I highly recommend using it.

In the following posts I’m thinking of speaking on:

• How Renovate can help reduce the burden of keeping your projects up-to-date (reducing security work later on)
• Differences between GitHub’s security tab (DependaBot) and Snyk
• npm audit, yarn audit & snyk test

NOTE: This post is not sponsored by Snyk. I love what they do, I root for them and I hope they soon fix the issues I mention above.