We got owned by Snyk on our own product.
Last week Snyk flagged a real transitive vulnerability in our production repo (uuid@10.0.0 via resend).
We were only reading package.json - like most lightweight scanners still do — while the actual attack surface lives in package-lock.json.
1 comment
[ 2.7 ms ] story [ 16.4 ms ] threadSo we did what we always do: we fixed it.