Add snyk for dependency vulnerability checking

[sethbergman]

Feature

Integrate snyk for dependency vulnerability checking

Why is this feature being added?

It automatically checks dependencies that have been identified as vulnerable.

What should your feature do?

• Run a command in package.json for the snyk app to report the dependency vulnerabilities.

• snyk badge -->

[sethbergman]

Snyk's wizard will:

• Enumerate your local dependencies and query Snyk's servers for vulnerabilities
• Guide you through fixing found vulnerabilities
• Create a .snyk policy file to guide snyk commands such as test and protect
• Remember your dependencies to alert you when new vulnerabilities are disclosed

Querying vulnerabilities database...

License issues are not supported by the wizard, use snyk ignore

Tested 380 dependencies for known vulnerabilities, found 4 vulnerabilities, 27 vulnerable paths.

• Low severity vuln found in debug@2.6.7, introduced via axios@0.16.1

• desc: Regular Expression Denial of Service (ReDoS)
• info: https://snyk.io/vuln/npm:debug:20170905
• from: axios@0.16.1 > follow-redirects@1.2.3 > debug@2.6.7

Remediation options (Use arrow keys)

1. ❯ Re-install axios@0.16.1 (triggers upgrade to debug@2.6.9)
2. Patch (modifies files locally, updates policy for snyk protect runs)
3. Set to ignore for 30 days (updates policy)
4. Skip

[sethbergman]

This should be good to go. Thanks @gokaygurcan and @kylemh for your help with this. Sorry about the delay.

[dmarchante]

@kylemh @sethbergman Why is this still open, is there a reason?

[kylemh]

The PR that's open for this doesn't work, and it should. I was having a back-n-forth email conversation with people @ Snyk, but wasn't able to resolve the issue.

[kylemh]

Dependency security issues tracked via Greenkeeper in new repo