diff --git a/src/smc-webapp/.snyk b/src/smc-webapp/.snyk
new file mode 100644
index 0000000000..0a0bedc2ec
--- /dev/null
+++ b/src/smc-webapp/.snyk
@@ -0,0 +1,10 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.1
+ignore: {}
+# patches apply the minimum changes required to fix a vulnerability
+patch:
+  'npm:minimatch:20160620':
+    - coffeelint-cjsx > glob > minimatch:
+        patched: '2024-04-03T21:04:50.426Z'
+        id: 'npm:minimatch:20160620'
+        path: coffeelint-cjsx > glob > minimatch
diff --git a/src/smc-webapp/package.json b/src/smc-webapp/package.json
index e00d4157ba..dc81d70d72 100644
--- a/src/smc-webapp/package.json
+++ b/src/smc-webapp/package.json
@@ -66,7 +66,8 @@
     "reselect": "^2.5.4",
     "three": "^0.78.0",
     "timeago": "^1.5.3",
-    "underscore": "^1.8.3"
+    "underscore": "^1.8.3",
+    "@snyk/protect": "latest"
   },
   "devDependencies": {
     "coffee-coverage": "^0.6.3",
@@ -82,7 +83,9 @@
   "scripts": {
     "test": "echo 'TEST WEBAPP'; SMC_TEST=true node_modules/.bin/mocha --reporter progress test && echo 'TEST JUPYTER CLIENT'; cd jupyter && ../node_modules/.bin/mocha  --reporter progress  test",
     "lint": "node_modules/.bin/coffeelint -f ../smc-util/coffeelint.json -c *.coffee *.cjsx",
-    "coverage": "rm -rf ./coverage/; SMC_TEST=true node_modules/.bin/mocha --require ./coffee-coverage-loader.js && node_modules/.bin/istanbul report text html"
+    "coverage": "rm -rf ./coverage/; SMC_TEST=true node_modules/.bin/mocha --require ./coffee-coverage-loader.js && node_modules/.bin/istanbul report text html",
+    "prepublish": "npm run snyk-protect",
+    "snyk-protect": "snyk-protect"
   },
   "repository": {
     "type": "git",
@@ -111,5 +114,6 @@
   "bugs": {
     "url": "https://github.com/sagemathinc/cocalc/issues"
   },
-  "homepage": "https://github.com/sagemathinc/cocalc"
+  "homepage": "https://github.com/sagemathinc/cocalc",
+  "snyk": true
 }