Product Updates

We're improving our product update communication experience to help keep you aware and in control. We heard your feedback that it can be hard to keep up with all the changes, so we're introducing new ways to help you find the information that's most relevant to you.

From September 11th, you'll see a new link to manage your Snyk email preferences directly from the product updates website. There's also a visible RSS feed link for those who prefer it. You'll be able to filter product updates using tags like Open Source CLI or MCP to find exactly what you're looking for.

We know how important it is for you to be aware of new features and changes that impact your work. Our goal is to give you more control and a better way to get the right information at the right time. We also want to ensure our communications are consistent with our Snyk brand for you to enjoy.

The product updates link in our platform web user interface will take you directly to the new product updates page. The red notification dot on the bell icon will be paused for approximately one week following the launch, before returning to its usual function of alerting you to new updates. The existing RSS feed link will not change. We plan to introduce a search feature for product updates in a later phase and we are currently assessing how best to display product updates within our platform.

Atlassian will deprecate App Passwords in Bitbucket Cloud and transition to API tokens, which provide a more secure authentication method, increased admin flexibility, and additional expiry controls. To align and support this change, Snyk Essentials will be supporting API tokens starting September 9th.

Main highlights include:

• Support of the API Key

• Users who integrate on or after September 9th, 2025, will need to provide user email and API Key

• Existing integrations that are already using app passwords will continue to function without interruption until June 9th, 2026, when app passwords will stop working entirely (or if the app password expires before June 9th).

Users are advised to migrate to the API key starting September 9th, 2025. For any questions, don't hesitate to reach out to the Snyk support team.

We are excited to announce the UI enhancement to have a clearer empty state in Inventory! This provides clarification to why the enrichments might be empty. Main highlights include:

• Ensure that no cell is empty without a reason; this change removes all guesswork.

• To provide clarity on why the fields are missing, the Inventory page will display a defined empty state, including informative tooltips to guide users.

This update is scheduled to be rolled out across all Snyk environments on September 3rd. No actions are needed to enable these changes.

We are excited to announce a new Snyk Code update, bringing increased findings and improved inline documentation to our customers.

What's New?

• Improved Crypto Cipher Detection: In Java, Kotlin, and Scala, we've enhanced our detection for insecure crypto ciphers.

• New Python Rule: A new rule has been added for XXE (XML External Entity Injection), which covers CWE-330.

• Expanded JavaScript Coverage: We've added new coverage for popular JavaScript frameworks, including Angular's ActivatedRoutes and react-router-dom.

• Javalin Web Framework Support: We have added new coverage for the Javalin web framework in Java and Kotlin

• Enhanced Issue Descriptions: The descriptions and titles for security issues have been updated to provide clearer, more specific information. For example, "Cleartext Transmission of Sensitive Information" will now be appropriately categorized into more granular findings like:

  • Cleartext Transmission via Unencrypted Socket

  • Cleartext Transmission via Unencrypted Email

  • Cleartext Transmission via Unencrypted WebSocket

  • Cleartext Transmission via HTTP Instead of HTTPS

This update is scheduled to be rolled out across all Snyk environments on September 15.

Over the coming weeks we will be releasing a number of exciting improvements for JavaScript developers across the npm, pnpm, and Yarn ecosystems.

✨ pnpm general availability (GA)

pnpm is a fast and efficient JavaScript package manager often used for large monorepos. We’re excited that our support for pnpm will be generally available across CLI and SCM integrations in October 2025.

Starting on September 10th, we will begin gradually rolling out support to all customers. During this time, Snyk Projects previously misidentified as npm due to the presence of a package.json will be migrated to pnpm, maintaining all history and ignores.

Here's a summary of what's supported, but please keep an eye on our User Docs for more details:

• pnpm versions 7-10, including workspaces

• All Snyk SCM integrations

• Snyk CLI

• Snyk CI plug-ins

• PR Checks

• Fix PRs

✨ npm & Yarn improvements (GA)

npm and Yarn are two of the most extensively used package managers in the JavaScript ecosystem.

Over the next month, we will be gradually rolling out some minor improvements to how we scan Projects from these ecosystems in our SCM integrations—improving accuracy and offering consistency with our CLI.

Stay tuned for the following changes:

• Snyk now supports using multiple versions of the same dependency with Yarn through our SCM integrations. Previously, this would lead to errors.

• Snyk now correctly throws errors for out-of-sync Yarn manifest files using resolutions, when running under the default strict out of sync mode. Previously, this setting would get ignored for Yarn resolutions.

• Snyk now supports dependency aliases with Yarn and npm through our SCM integrations. Previously, aliases were not supported and could lead to false negatives.

• Snyk now offers more accurate results for npm projects using top level Bundled Dependencies.

These improvements have the potential to change the number of dependencies and issues detected in the project.

As part of our continued effort to improve developer productivity, we have released several enhancements to High-Context Inline Comments today. These updates aim to reduce context switching by delivering contextual and actionable security findings directly within your workflow.

What’s new:

• Data Flow support for GitLab & Azure Repos - Data flows are now supported for both GitLab and Azure Repos, helping developers trace how a vulnerability travels from source to sink in their code, making investigation and fixes faster. For users leveraging Snyk Broker, they are supported for the following versions:

  • Gitlab: Broker version 4.215.2 or higher

  • Azure Repos: Broker version 4.218.2 or higher

• We’ve resolved an issue for GitHub and Bitbucket users leveraging Snyk Broker. Data flows will now correctly point to the intended commit reference for the following versions:

  • GitHub: Broker version 4.216.1 or higher

  • Bitbucket: Broker version 4.217.3 or higher

No action is required to enable these changes. You can find more details in the user docs.

Over the coming weeks we will be introducing a few improvements to Maven and Ruby projects imported through SCM integrations.

Ruby

Starting today, we are releasing minor improvements to Fix PRs for Ruby.

• Snyk fixes vulnerabilities by updating vulnerable gems, running bundle update to re-lock your Gemfile.lock.

• When a Ruby version is not explicitly declared in the Gemfile, Snyk now defaults to Ruby 3.3 or latest. Previously, Snyk would default to 2.7.

• Additionally, Snyk now supports Ruby versions 3.3 and 3.4.

These changes have no impact on findings, but should improve the success rate of Fix PRs.

Maven

Starting two weeks from today, we’ll start gradually rolling out improvements to dependency resolution for Maven. The roll-out is expected to last approximately 1 month.

• Snapshot artifacts, e.g. org.example:foo:1.0.0-SNAPSHOT are published to Maven with unique versioning information. Snyk was previously not correctly resolving these dependencies, impacting the accuracy of projects and related issues. This will be fixed and projects will accurately detect these dependencies.

• Logic for “provided” transitive dependencies is now correct and aligns with Snyk CLI and how Maven handles these cases.

Both of the Maven improvements have the potential to change the number of dependencies and issues detected in the project.

Please refer to our User Docs for more information on supported languages.

We’ve released a new CLI version (v1.1298.3) with new features, bug fixes and improvements to enhance your security scanning.

This update includes the following two changes:

1. Open Source: Gradle 9 Support

We are pleased to announce that the Snyk CLI now supports scanning Gradle 9 projects!

Previously, when scanning version 9 projects in the CLI, some operations might fail due to reliance on a deprecated and removed Gradle CLI flag. This has now been resolved, and Gradle 9 is officially supported in the Snyk CLI.

2. AI-BOM: The snyk aibom command

The AI-BOM CLI command is now publicly accessible.

You can use the snyk aibom command to identify AI models, datasets, and map the AI supply chain, including connections to external tools and services using the Model Context Protocol (MCP).

Note: AI-BOM is an experimental feature and is subject to breaking changes without notice. Read more in our documentation.

Release notes are available here.

We encourage everyone to upgrade to the latest version to take advantage of these new capabilities. If you have any questions, please don’t hesitate to reach out to the Snyk support team.

We're excited to announce a crucial enhancement to our new Export API: we've added the project_target_file field. This update is a significant step in helping customers transition from the deprecated Reporting V1 API to our more robust and modern Export API. The project_target_file field, which was previously only available in the older Reporting V1 API, is now included in the Export API. This field provides critical information for disambiguating ownership in monorepos.

How Does This Benefit You?

• Seamless Migration: If your workflows, especially those involving monorepos, relied on project+target_file from the Reporting V1 API, you can now migrate those processes entirely to the Export API.

• Improved Ownership Clarity: For complex projects like monorepos, target_file helps you precisely identify and manage project ownership, leading to more accurate reporting and better security insights. It contains the file path within a project that Snyk is targeting for security scanning, such as /var/www/composer.lock, /app/package.json, or other dependency manifest files.

• Access to Modern API Features: By fully moving to the Export API, you can leverage its improved performance, scalability, and other advanced capabilities.

• Reduced Reliance on Legacy API: This addition helps reduce the need for the older Reporting V1 API, allowing us to focus on enhancing our newer, more efficient solutions.

What You Need to Know

The data for target_file is consistent with what you've seen in the Reporting V1 API and our internal datasets. We've ensured a direct mapping to provide you with reliable information. To make this field available, we've updated several underlying data structures. While this required a full refresh of some datasets on our end, you don't need to take any action other than updating your API integrations to utilize the new field. This enhancement directly addresses feedback from customers, enabling a smoother and more complete transition to the Export API.

The Export API is now GA, allowing our customers to create and download Snyk Issues data as a CSV file. It's useful for making custom reports and using Snyk data with other tools.

What it is and why it's helpful

The Export API, which Snyk Analytics supports, facilitates data export by enabling users to create and manage CSV files. These files are safely stored by Snyk. Designed for efficiency and security, the Export API helps users organize and scale the export of large datasets, which is useful for reporting and analytics tasks.

• Consume predefined datasets, based on Snyk reporting data

• Datasets evolve in parallel to Snyk Analytics' scope

• Focus on the user experience and ease of consumption

More information

You can find more details, including how to use the API, in our product documentation.

• Snyk Product Documentation

• Snyk API Documentation