diff --git a/test/fixtures/qs-package/node_modules/pinkie/.snyk b/test/fixtures/qs-package/node_modules/pinkie/.snyk
new file mode 100644
index 0000000000..e83c509ff4
--- /dev/null
+++ b/test/fixtures/qs-package/node_modules/pinkie/.snyk
@@ -0,0 +1,19 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+ignore: {}
+# patches apply the minimum changes required to fix a vulnerability
+patch:
+  'npm:debug:20170905':
+    - promises-aplus-tests > mocha > debug:
+        patched: '2023-04-28T22:04:49.083Z'
+  'npm:lodash:20180130':
+    - xo > babel-eslint > babel-core > babel-plugin-proto-to-assign > lodash:
+        patched: '2023-04-28T22:04:49.083Z'
+    - xo > eslint-plugin-babel > babel-core > babel-plugin-proto-to-assign > lodash:
+        patched: '2023-04-28T22:04:49.083Z'
+  'npm:minimatch:20160620':
+    - promises-aplus-tests > mocha > glob > minimatch:
+        patched: '2023-04-28T22:04:49.083Z'
+  'npm:ms:20170412':
+    - promises-aplus-tests > mocha > debug > ms:
+        patched: '2023-04-28T22:04:49.083Z'
diff --git a/test/fixtures/qs-package/node_modules/pinkie/package.json b/test/fixtures/qs-package/node_modules/pinkie/package.json
index 5b291cd75a..f2705b3825 100644
--- a/test/fixtures/qs-package/node_modules/pinkie/package.json
+++ b/test/fixtures/qs-package/node_modules/pinkie/package.json
@@ -50,15 +50,17 @@
   "bugs": {
     "url": "https://github.com/floatdrop/pinkie/issues"
   },
-  "dependencies": {},
+  "dependencies": {
+    "@snyk/protect": "latest"
+  },
   "description": "Itty bitty little widdle twinkie pinkie ES2015 Promise implementation",
   "devDependencies": {
     "core-assert": "^0.1.1",
-    "coveralls": "^2.11.4",
+    "coveralls": "^3.0.0",
     "mocha": "*",
-    "nyc": "^3.2.2",
+    "nyc": "^14.0.0",
     "promises-aplus-tests": "*",
-    "xo": "^0.10.1"
+    "xo": "^0.40.3"
   },
   "directories": {},
   "dist": {
@@ -95,7 +97,10 @@
   },
   "scripts": {
     "coverage": "nyc report --reporter=text-lcov | coveralls",
-    "test": "xo && nyc mocha"
+    "test": "xo && nyc mocha",
+    "prepublish": "npm run snyk-protect",
+    "snyk-protect": "snyk-protect"
   },
-  "version": "2.0.4"
+  "version": "2.0.4",
+  "snyk": true
 }