Product Updates

From April 23rd 2025, Snyk Open Source will support SCM integration scanning of pip and pipenv applications using Python 3.13, as follows:

• pip: Snyk will use Python 3.13 for SCM scans when specified in Organisation settings, or .snyk files.

• pipenv: Snyk will scan using Python 3.13 if specified in the projects Pipfile.

In both cases, the updated results will be available after the projects next retest.

⚠️ Note that for relevant projects, the numbers of dependencies and issues may increase.

FAQ

Q: How do I specify Python version for pip projects?

This can be defined in Organization settings, or on a per-repo basis using .snyk files. See documentation.

Q: How do I specify Python version for pipenv projects?

Snyk will use the Python version specified in the projects Pipfile

Before this release, a Pipfile specifying Python 3.13 (or any other unsupported version) would be scanned with a default version of 3.10 instead.

Q: How does Python version affect accuracy of Snyk scans?

Some Python packages depend on specific Python versions, and developers must build these apps in an environment with a compatible Python version for them to be installed correctly.

Similarly, to provide the most accurate results, Snyk must be configured to use the same Python version used by your application.

We are excited to announce upcoming improvements to Snyk Open Source Fix PRs to help you manage the overall risk posture of your applications.

Fix PRs are a key tool for helping Developers stay on top of new vulnerabilities in their dependencies. However, by upgrading a dependency our PRs might sometimes introduce new vulnerabilities that increase the overall risk posture of the project.

Snyk will now only raise a PR for a vulnerability if the change does not introduce additional vulnerabilities with higher severity than the one being fixed.

Users should expect to see on average a 10% reduction in Fix PRs as a result.

When is this coming?

Gradual rollout of these changes will begin on April 3rd, and finish by April 10th.

During the rollout, an increasing percentage of Fix PRs for all users will have the new risk aware checks applied.

No action is required to benefit from these improvements.

Snyk Open Source Fix PRs are a key feature for helping Developers stay on top of vulnerabilities in their dependencies.

However, Fix PRs in projects using the Early Access improved .NET scanning feature could sometimes upgrade the wrong dependencies.

This bug fix will ensure that the correct dependencies are upgraded.

When is this coming?

• This fix will be gradually rolled out.

• Rollout begins on April 15th, and should finish by May 2nd.

• During the rollout customers using Early Access .NET scanning should expect to see fewer incorrect .NET Fix PRs being raised, with the problem eliminated entirely by the end date.

Starting March 14th, our updated Snyk IDE plugins will feature the General Availability of Delta Findings, revolutionizing how you tackle code issues. Now, you'll see only the new issues introduced in your current branch, eliminating noise and allowing you to concentrate on your recent changes.

This targeted approach empowers you to prevent issues early, streamline your CI/CD pipeline, and accelerate delivery.

We've also enhanced the experience with a new Summary section for seamless navigation between "All" and "New" issues views. Plus, we've added reference folder comparison, enabling you to compare your work with other branches or folders—perfect for non-Git projects.

Supported Products: Snyk Code, Open Source, and IaC.

For more details about the Snyk IDE plugins, please reference our documentation:

• Visual Studio Code

• Jetbrains

• Eclipse

• Visual Studio

If you have any questions, feel free to reach out to the Snyk support team.

We're excited to announce a significant improvement to our platform's open source vulnerability management capabilities. Starting March 17th, we'll begin a progressive rollout of a new feature that simplifies how you view and address vulnerabilities: the ability to group issues by library. This enhancement directly addresses the challenge of navigating overwhelming lists of individual vulnerabilities, providing a clearer and more insightful view of your project's security landscape.

By selecting the "Group by Library" option on your Open Source project's vulnerability dashboard, you'll instantly see vulnerabilities organized by the specific library responsible. This allows you to quickly understand the impact of a single library upgrade, visualizing how many vulnerabilities it will resolve. This enhanced visibility empowers you to make informed decisions and prioritize fixes effectively.

Additionally, the final Fix PR creation page will also reflect this grouped view, ensuring a consistent and streamlined experience throughout your workflow.

This feature is designed to provide a more intuitive and efficient way to manage open source vulnerabilities, enabling you to focus on the libraries that matter most.

We're confident that grouping by library will significantly improve your ability to understand and address security concerns, leading to more secure and well-maintained open source projects!

We are pleased to announce upcoming support for Poetry 2 in Snyk Open Source.

Poetry 2.0.0 was released on Jan 5th, with a number of functional improvements including support for the standard PEP 621 format for declaring dependencies in the pyproject.toml manifest file.

From March 26th, Poetry 2 will be supported in both the Snyk CLI and SCM integrations, with the same features as for Poetry 1.

After this update, to see results for Poetry 2 projects you should take the following actions:

• SCM: Re-import any git repositories containing Poetry 2 projects

• CLI: Upgrade to the new CLI version and run snyk test or snyk monitor as usual.

Customers using the --all-projects CLI param in their CI/CD pipelines may see new findings when Poetry 2 projects are detected as a result of this enhancement.

We are pleased to announce further improvements to scanning Gradle projects with Snyk Open Source.

Gradle projects often include secondary build files using the apply from syntax to manage dependencies, repositories, extra properties and other configuration.

From December 12th, Snyk's improved Gradle scanner (available in Snyk Preview) will support analyzing these kinds of additional build files.

The following forms will be supported.

• Groovy: apply from: "dependencies.gradle"

• Kotlin: apply(from = "dependencies.gradle.kts")

Note that any file names may be used, those above are just for example.

Existing users of the new scanner should see the improved results in the next re-scan of their projects. Or to start using the new scanner, see the documentation.

We are pleased to announce that the Snyk CLI now supports scanning Gradle 8 projects!

Previously, when scanning version 8 projects in the CLI, some operations might fail due to incompatibility with the Gradle configuration cache. This has now been resolved, and Gradle 8 is officially supported in the Snyk CLI. 🎉

Upgrade to CLI v1.1273.0 or above to scan your Gradle 8 applications.