{"id":15381,"library":"snyk-to-html","title":"Snyk JSON to HTML Report Generator","description":"snyk-to-html is a Node.js utility designed to convert the JSON output from various Snyk CLI commands (e.g., `snyk test --json`, `snyk code test --json`, `snyk iac test --json`, `snyk container test --json`) into a human-readable, static HTML vulnerability report. The current stable version is 3.7.1, released in April 2026. The package sees a relatively active release cadence, often featuring bug fixes, security updates, and new features like adding support for exploit maturity, reachability signals, and risk scores. A key differentiator is its ability to accept custom Handlebars templates, allowing users to tailor the report's appearance and included data fields. It is primarily used as a CLI tool but also exposes a programmatic API for integration into automated workflows.","status":"active","version":"3.7.1","language":"javascript","source_language":"en","source_url":"https://github.com/snyk/snyk-to-html","tags":["javascript","typescript"],"install":[{"cmd":"npm install snyk-to-html","lang":"bash","label":"npm"},{"cmd":"yarn add snyk-to-html","lang":"bash","label":"yarn"},{"cmd":"pnpm add snyk-to-html","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Used for templating the HTML reports. Recent releases have patched vulnerabilities related to this dependency.","package":"handlebars","optional":false}],"imports":[{"note":"This is the primary function for programmatic conversion. It's an ESM-first package requiring Node.js >=20.","wrong":"const convertToHtml = require('snyk-to-html').convertToHtml;","symbol":"convertToHtml","correct":"import { convertToHtml } from 'snyk-to-html';"},{"note":"Type definition for the options object passed to `convertToHtml`.","symbol":"SnykToHtmlOptions","correct":"import type { SnykToHtmlOptions } from 'snyk-to-html';"},{"note":"The tool is primarily designed for global CLI use after `npm install -g snyk-to-html`. Direct execution via `node` requires specifying the full path to the executable or the main script.","wrong":"node snyk-to-html -i input.json","symbol":"CLI usage (global)","correct":"snyk-to-html -i input.json -o report.html"}],"quickstart":{"code":"import { convertToHtml } from 'snyk-to-html';\nimport * as fs from 'fs';\n\nconst mockSnykJsonOutput = {\n  \"vulnerabilities\": [\n    {\n      \"id\": \"SNYK-JS-LODASH-590135\",\n      \"title\": \"Prototype Pollution\",\n      \"severity\": \"high\",\n      \"description\": \"The 'merge' function in lodash is vulnerable to prototype pollution via the 'assignValue' function.\",\n      \"packageManager\": \"npm\",\n      \"packageName\": \"lodash\",\n      \"version\": \"4.17.15\",\n      \"fixedIn\": [\"4.17.21\"],\n      \"exploitMaturity\": \"mature\"\n    }\n  ],\n  \"vulnerabilities\": [],\n  \"dependencyCount\": 1,\n  \"org\": \"my-org\",\n  \"policy\": \"Snyk Security Policy\",\n  \"isPrivate\": true,\n  \"summary\": \"No vulnerabilities found.\",\n  \"uniqueCount\": 0,\n  \"filesystemPolicy\": false,\n  \"licensesPolicy\": null\n};\n\nasync function generateReport() {\n  try {\n    const htmlReport = await convertToHtml(JSON.stringify(mockSnykJsonOutput), {\n      title: 'Snyk Security Report',\n      // template: fs.readFileSync('./custom-template.hbs', 'utf8') // Optional: use a custom Handlebars template\n    });\n    fs.writeFileSync('snyk-report.html', htmlReport);\n    console.log('HTML report generated: snyk-report.html');\n  } catch (error) {\n    console.error('Failed to generate report:', error);\n  }\n}\n\ngenerateReport();\n","lang":"typescript","description":"Demonstrates programmatic conversion of Snyk JSON output into an HTML report using the `convertToHtml` function."},"warnings":[{"fix":"Upgrade your Node.js environment to version 20 or later using a tool like nvm or fnm.","message":"Node.js 20 or higher is required. Older Node.js versions are not supported.","severity":"breaking","affected_versions":"<3.0.0"},{"fix":"Use ESM `import` syntax (`import { convertToHtml } from 'snyk-to-html';`) and ensure your project is configured for ESM (e.g., `\"type\": \"module\"` in `package.json`). For CommonJS, dynamic import (`import('snyk-to-html')`) might be required.","message":"The package transitioned to an ESM-first architecture, meaning CommonJS `require()` statements may not work directly for programmatic imports without configuration.","severity":"breaking","affected_versions":">=3.0.0"},{"fix":"Review the `metadata` object structure in the documentation for each new major or minor version if you use custom templates. Use `{{#if metadata.fieldName}}` guards to prevent errors if fields are optional or absent.","message":"Custom Handlebars templates may require updates if new data fields (e.g., `exploitMaturity`, `reachability`, `riskScore`, `epssDetails`) are introduced or existing ones change their structure.","severity":"gotcha","affected_versions":">=3.4.0"},{"fix":"Update `snyk-to-html` to version 3.7.1 or newer (`npm update snyk-to-html`).","message":"A Handlebars vulnerability (CVE-2026-33937O) was patched. Ensure you are on the latest patch version to mitigate potential security risks.","severity":"breaking","affected_versions":"<3.7.1"}],"env_vars":null,"last_verified":"2026-04-21T00:00:00.000Z","next_check":"2026-07-20T00:00:00.000Z","problems":[{"fix":"Install the package globally: `npm install -g snyk-to-html` or ensure your PATH includes `$(npm config get prefix)/bin`.","cause":"The `snyk-to-html` executable is not in your system's PATH, usually because it wasn't installed globally or its global installation path isn't correctly configured.","error":"snyk-to-html: command not found"},{"fix":"Ensure the Snyk JSON output is provided as a string. If using `convertToHtml`, `JSON.stringify()` the object before passing it.","cause":"The input provided to the templating engine, either directly or via the `convertToHtml` function, was not a valid string.","error":"Error: Handlebars: Input is not a string"},{"fix":"Verify that the input JSON is valid Snyk CLI output. You can use `snyk test --json > output.json` and then validate `output.json` before passing it to `snyk-to-html`.","cause":"The provided Snyk JSON input is malformed or not in the expected format, causing the report generator to fail when trying to access properties.","error":"TypeError: Cannot read properties of undefined (reading 'vulnerabilities')"}],"ecosystem":"npm"}