1 comment

[ 2.7 ms ] story [ 16.4 ms ] thread
We got owned by Snyk on our own product. Last week Snyk flagged a real transitive vulnerability in our production repo (uuid@10.0.0 via resend). We were only reading package.json - like most lightweight scanners still do — while the actual attack surface lives in package-lock.json.

So we did what we always do: we fixed it.