hello.js

var please = require('share');
console.log('thank you');

Tuesday, 5 June, 2018 UTC

Public Disclosure of a Critical Arbitrary File Overwrite Vulnerability: Zip Slip

Public Disclosure of a Critical Arbitrary File Overwrite Vulnerability: Zip Slip

The Snyk Security team is today announcing the public disclosure of a critical arbitrary file overwrite vulnerability called Zip Slip. It is a widespread vulnerability which typically results in remote command execution. The vulnerability affects thousands ... more


Wednesday, 30 May, 2018 UTC

10 GitHub Security Best Practices

10 GitHub Security Best Practices

In the second installment of our cheat sheet series, we’re going to cover how you can be more secure as a GitHub user or contributor. Much of it is specific to GitHub, but there’s also general advice in both the cheat sheet and this blog that is applicable ... more


Wednesday, 11 April, 2018 UTC

JavaScript and Node.js Security – The Common Pitfalls

JavaScript and Node.js Security – The Common Pitfalls

JavaScript and Node.js have shown themselves to be amazing platforms. Their sheer ease of use has empowered an entire community of creative individuals to build amazing things. Like in all cases, however, amongst the goodness lurk some risks. Nobody’s ... more


Thursday, 5 April, 2018 UTC

Attacking an FTP Client: MGETting more than you bargained for

Attacking an FTP Client: MGETting more than you bargained for

Introduction We often hear about vulnerabilities in HTTP clients, such as web browsers, that are typically exploited by malicious web content, there’s nothing new here. But did you know that the FTP clients themselves can also have vulnerabilities that ... more


Thursday, 8 March, 2018 UTC

Snyk $7M Series A - and a huge thanks!

Snyk $7M Series A - and a huge thanks!

On Tuesday we announced our $7M series A! This funding is a great testament to the importance of having developers own security and the critical need to secure our use of open source code. It’s also a humbling show of faith in our product and team, who ... more


Thursday, 1 March, 2018 UTC

JFrog Xray+Snyk... good, better, best!

JFrog Xray+Snyk... good, better, best!

With the launch of Xray, JFrog has pioneered the binary scanning space providing radical transparency and unparalleled insight into your software architecture. Snyk’s integration into Xray expands on that to take Xray up the stack and provide scanning ... more


Thursday, 15 February, 2018 UTC

Suppressing issues in Snyk

Suppressing issues in Snyk

Ignoring security issues shouldn’t be the default action, but it is sometimes necessary. Snyk only validates vulnerabilities that exist in dependent components, so it has a relatively low false-positive rate (which should reduce the need to ignore), ... more


Thursday, 25 January, 2018 UTC

Where do security patches come from?

Where do security patches come from?

Known vulnerabilities in software is a widely known problem, and was the cause of some of the world’s biggest security breaches, including the Mossack Fonesca (Panama Papers) breach, the VerticalScope breach in which 45 million passwords and IP addresses ... more


Thursday, 11 January, 2018 UTC

npm Shrinkwrap Reloaded: Locking npm Deps with Package-Lock and Yarn.Lock

npm Shrinkwrap Reloaded: Locking npm Deps with Package-Lock and Yarn.Lock

In 2016 dependency management made headlines around the world, when an unknown developer unpublished a tiny Node.js package called left-pad, broke thousands of projects which depended on that package, and brought down some of the world’s biggest websites. ... more


Wednesday, 3 January, 2018 UTC

Using the Snyk API to get your vulnerabilities

Using the Snyk API to get your vulnerabilities

Illustration by Lou Reade. In this blog post, you will learn how to use the Snyk API to retrieve all the issues associated with a given project. There are several reasons you may find it valuable, notably pulling them into your reports and dashboards, ... more


Thursday, 21 December, 2017 UTC

Announcing Snyk for .NET, Go and PHP

Announcing Snyk for .NET, Go and PHP

The holiday season is around the corner, and we thought, why not give a modest gift of our own to Snyk’s growing community? Snyk has always been committed to making it easy to use open-source code without compromising security. Today, we’re taking another ... more


Tuesday, 5 December, 2017 UTC

Bower is dead, long live npm. And Yarn. And webpack.

Bower is dead, long live npm. And Yarn. And webpack.

Bower is no longer the dependency manager of choice for front-end projects. While the open source project is still maintained, its creators decided to deprecate it, and advise how to migrate to other solutions—namely Yarn and webpack. In this post, we ... more


Tuesday, 21 November, 2017 UTC

77% of 433,000 Sites Use Vulnerable JavaScript Libraries

77% of 433,000 Sites Use Vulnerable JavaScript Libraries

Last week, we released our first annual State of Open Source Security report. One of the discoveries the report mentions is that an analysis of around 433,000 sites found that 77% of them use at least one front-end JavaScript library with a known security ... more


Thursday, 16 November, 2017 UTC

Announcing the 2017 State of Open Source Security Report

Announcing the 2017 State of Open Source Security Report

Today we’re excited to launch the 2017 State of Open Source Security Report! You can download the full report as a free PDF, or visit https://snyk.io/stateofossecurity/ for an overview of the findings. Open source is awesome and rapidly growing. The ... more


Wednesday, 1 November, 2017 UTC

MIT, Apache 2 or BSD license: Who is the fairest of them all?

MIT, Apache 2 or BSD license: Who is the fairest of them all?

In 1997, Eric Raymond published his landmark essay “The Cathedral and the Bazaar”, which became the manifesto for the open source movement. He set forward principles like “plan to throw one version away”, “release early, release often”, and “given enough ... more


Friday, 27 October, 2017 UTC

Snyk is Now Integrated with Chrome's Lighthouse

Snyk is Now Integrated with Chrome's Lighthouse

Today we have another exciting announcement: Snyk is now powering the brand-new vulnerable JavaScript audit in Google Chrome’s Lighthouse, the auditing tool built by the Google Chrome team that checks for how performance, accessible and secure your site ... more


Wednesday, 25 October, 2017 UTC

Announcing Snyk-Powered Linting in Sonar

Announcing Snyk-Powered Linting in Sonar

We’re proud to announce that Snyk now powers the vulnerable JavaScript libraries linter in Sonar—an open-source linting tool for developers lead by a bunch of folks from Microsoft. Earlier this year we ran a test on the top 5,000 URL’s on the web and ... more


Thursday, 21 September, 2017 UTC

Launching the State of Open Source Security Survey

Launching the State of Open Source Security Survey

Earlier this week, we kicked off The State of Open Source Security survey. Our goal is to help all of us understand where we stand when it comes to building and consuming open source in a way that keeps us and the data we hold safe. We’ve made the survey ... more


Monday, 11 September, 2017 UTC

Open source vulnerabilities tripped Equifax, how can you defend yourself?

Open source vulnerabilities tripped Equifax, how can you defend yourself?

Equifax, a credit monitoring giant, disclosed last week it was breached, exposing highly personal data of 143 million people, and stated the root cause was vulnerability in Apache Struts, a highly popular Java library. The company fumbled its response ... more


Thursday, 24 August, 2017 UTC

Snyk and Atlassian, Sitting in a Tree

Snyk and Atlassian, Sitting in a Tree

With Snyk support for Bitbucket Server now out of beta, you can tightly integrate Snyk with your Atlassian workflow from start to finish—from easily monitoring your projects, to integration with Bitbucket pipelines and even JIRA ticket creation. Bitbucket ... more


Wednesday, 2 August, 2017 UTC

Announcing Snyk for Gradle, Scala and Python

Announcing Snyk for Gradle, Scala and Python

Since we launched nearly two years ago, Snyk has been focused on making it easier to use open-source code without compromising security. Initially, we focused on Node.js, making sure we built up a robust, developer-friendly tool in the process. Since ... more


Thursday, 29 June, 2017 UTC

Getting the Most Out of Snyk Test with JSON

Getting the Most Out of Snyk Test with JSON

Running snyk test will scan your application’s dependencies and test to see if any of them contain known vulnerabilities. If any vulnerabilities are discovered, the command will result in an error and output information about the vulnerability, and how ... more


Friday, 9 June, 2017 UTC

XSS Attacks: The Next Wave

XSS Attacks: The Next Wave

Has the XSS threat died down? It’s been over 10 years since Cross Site Scripting (XSS) became big news, awareness has grown and defenses have become much more sophisticated. But recent data paints a different story: XSS attacks grew 39% in Q1 of 2017, ... more


Wednesday, 7 June, 2017 UTC

Bitbucket Server Integration in Beta

Bitbucket Server Integration in Beta

Hot on the heels of the launch of Snyk serverless integration for Heroku and AWS Lambda, we are launching our next integration with Bitbucket Server, Atlassian’s Git solution for professional teams. The integration is currently in beta, and we’re looking ... more


Wednesday, 26 April, 2017 UTC

Introducing Snyk for Serverless

Introducing Snyk for Serverless

Today we’re excited to announce Snyk’s new solution for securing your serverless functions, designed to easily integrate and protect serverless-based applications! The initial launch features tight integration with both AWS Lambda and Heroku. We’re also ... more


Wednesday, 19 April, 2017 UTC

Serverless Security implications—from infra to OWASP

Serverless Security implications—from infra to OWASP

By its very nature, Serverless (FaaS) addresses some of today’s biggest security concerns. By eliminating infrastructure management, it pushes its security concerns to the platform provider. Unfortunately, attackers won’t simply give up, and will instead ... more


Tuesday, 18 April, 2017 UTC

Maven support is here!

Maven support is here!

Last November, we announced that in addition to Node.js support, we were adding support for Ruby. And now it’s time to expand yet again. Today we’re excited to announce Snyk’s support for Java and other Maven supporting languages! Keeping Java projects ... more


Wednesday, 5 April, 2017 UTC

Continuously secure all apps with unlimited Snyk projects

Continuously secure all apps with unlimited Snyk projects

To do security well, you have to do it continuously. Finding and fixing vulnerable libraries once is great, but without monitoring those dependencies and testing code changes, you’ll quickly slip back to being insecure. Snyk’s mission isn’t to get you ... more


Wednesday, 29 March, 2017 UTC

77% of sites use at least one vulnerable JavaScript library

77% of sites use at least one vulnerable JavaScript library

The other week a paper was released that reported that about 37% of sites included at least one JavaScript library with a known vulnerability. When we wrote about the findings, we mentioned that we thought that the reality was almost certainly worse. ... more


Tuesday, 21 March, 2017 UTC

Type Manipulation: Escaping Template Sandboxes

Type Manipulation: Escaping Template Sandboxes

A key property of interpreted languages such as JavaScript and Ruby is dynamic typing, wherein variable types are determined and updated at runtime. Dynamic typing has its downsides, but it can make software more flexible, and development faster. Unfortunately, ... more