diff --git a/cli/.snyk b/cli/.snyk
new file mode 100644
index 000000000000..4edf582060e1
--- /dev/null
+++ b/cli/.snyk
@@ -0,0 +1,8 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.13.5
+ignore: {}
+# patches apply the minimum changes required to fix a vulnerability
+patch:
+  SNYK-JS-LODASH-450202:
+    - getos > async > lodash:
+        patched: '2019-07-04T05:37:11.135Z'
diff --git a/cli/package.json b/cli/package.json
index 924a6e8b9de4..0ecff6c0fc56 100644
--- a/cli/package.json
+++ b/cli/package.json
@@ -23,7 +23,9 @@
     "build": "node ./scripts/build.js",
     "prerelease": "npm run build",
     "release": "cd build && releaser --no-node --no-changelog",
-    "size": "t=\"$(npm pack .)\"; wc -c \"${t}\"; tar tvf \"${t}\"; rm \"${t}\";"
+    "size": "t=\"$(npm pack .)\"; wc -c \"${t}\"; tar tvf \"${t}\"; rm \"${t}\";",
+    "snyk-protect": "snyk protect",
+    "prepublish": "npm run snyk-protect"
   },
   "nyc": {
     "exclude": [
@@ -72,7 +74,8 @@
     "supports-color": "5.1.0",
     "tmp": "0.0.31",
     "url": "0.11.0",
-    "yauzl": "2.8.0"
+    "yauzl": "2.8.0",
+    "snyk": "^1.189.0"
   },
   "devDependencies": {
     "@cypress/releaser": "0.2.2",
@@ -100,5 +103,6 @@
     "lib",
     "index.js",
     "types/*.d.ts"
-  ]
+  ],
+  "snyk": true
 }