-
More free advice for snyk (if they somehow end up seeing this, which they won't): A ton of its many false positives, maybe 30%, come from not having any hints about the top-level context. Path traversal attacks can happen to REST services accepting uploads or whatever, but an internal command line tool for tidying up the source code isn't going to be attacked that way.