Product Updates

We're excited to announce a significant improvement to our platform's open source vulnerability management capabilities. Starting March 17th, we'll begin a progressive rollout of a new feature that simplifies how you view and address vulnerabilities: the ability to group issues by library. This enhancement directly addresses the challenge of navigating overwhelming lists of individual vulnerabilities, providing a clearer and more insightful view of your project's security landscape.

By selecting the "Group by Library" option on your Open Source project's vulnerability dashboard, you'll instantly see vulnerabilities organized by the specific library responsible. This allows you to quickly understand the impact of a single library upgrade, visualizing how many vulnerabilities it will resolve. This enhanced visibility empowers you to make informed decisions and prioritize fixes effectively.

Additionally, the final Fix PR creation page will also reflect this grouped view, ensuring a consistent and streamlined experience throughout your workflow.

This feature is designed to provide a more intuitive and efficient way to manage open source vulnerabilities, enabling you to focus on the libraries that matter most.

We're confident that grouping by library will significantly improve your ability to understand and address security concerns, leading to more secure and well-maintained open source projects!

We’re excited to announce the General Availability of the GitHub Server App!

The app is designed specifically for organizations using self-hosted or private cloud deployments of GitHub Enterprise Server, offering a secure and simplified integration with Snyk as an alternative to the existing integration with personal access tokens (PATs).

With features like Role-Based Access Control (RBAC) and granular repository-level permissions, you can manage access efficiently, ensuring your users only see the data they need. These benefits not only simplify policy management but also align with modern security practices, eliminating the need for managing individual accounts. The app is compatible with the newly introduced Universal Broker. You can access the app directly through the integration page—check out the user docs for more details! 🚀

We are pleased to announce upcoming support for Poetry 2 in Snyk Open Source.

Poetry 2.0.0 was released on Jan 5th, with a number of functional improvements including support for the standard PEP 621 format for declaring dependencies in the pyproject.toml manifest file.

From March 26th, Poetry 2 will be supported in both the Snyk CLI and SCM integrations, with the same features as for Poetry 1.

After this update, to see results for Poetry 2 projects you should take the following actions:

• SCM: Re-import any git repositories containing Poetry 2 projects

• CLI: Upgrade to the new CLI version and run snyk test or snyk monitor as usual.

Customers using the --all-projects CLI param in their CI/CD pipelines may see new findings when Poetry 2 projects are detected as a result of this enhancement.

🔄 More Reliable License Data, Fewer Surprises

We’re rolling out an upgrade to our license data acquisition system for Maven and NPM, bringing fresher, more accurate data and better control over license overrides when needed.

What’s Changing?

✅ More accurate & fresher license data

✅ Previously undetected licenses may now appear, enabling greater compliance

Why It Matters?

This update enhances data reliability and streamlines license overrides, making it easier to manage license compliance with confidence.

📅 Rolling out March 19th! Most customers won't notice this change, but in some cases you may see an increase in High or Critical License Issues depending on your configured License Policies.

On the projects pages, all ignore types will now allow expiration dates to be set. Additionally, the ignore type currently labeled "Ignore Permanently" on the projects page will be relabeled "Won't Fix" to match what is reflected in the API.

Currently, Snyk can automatically create pull requests (PRs) on your behalf to upgrade your dependencies based on the relevant scan results. These can help you pay down your security vulnerability backlog, introduce fixes for newly discovered issues, or keep your dependencies up to date with new versions.

With our new "Snyk Generated Pull Requests" report now available in Early Access, you can visually track and measure the impact of these fix PRs. This report enables you to review how many Snyk Fix, Backlog, and Upgrade PRs were opened, merged, or closed across your repositories, and observe the overall mean time to merge. This report, available for all supported SCM integrations, can be filtered by organization, repository, project, or source and is refreshed every 90 minutes.

To view this report, simply navigate to the Reports section of your Group or Organization and choose “Snyk Generated Pull Requests” from the "Change Report" drop-down menu.

For more information, visit our reports documentation.

As part of our commitment to improving the pull request experience, we’ve introduced key enhancements to Inline Comments which boost developers' productivity by bringing detailed security findings directly into their PRs.

What’s new:

✅ Inline Comments are now capped at 10, prioritizing the most critical vulnerabilities by severity to prevent clutter and avoid SCM rate limits. If more than 10 findings exist, a note in the PR Summary Comment will notify you.

✅ Smarter vulnerability placement ensures that findings reported outside the PR diff are mapped to the nearest relevant changed line, keeping security issues visible even when the exact location isn’t commentable.

These updates streamline security reviews, reducing distractions while ensuring developers can quickly act on vulnerabilities within PRs.

In 2025, Snyk Code will improve PR check performance for JavaScript and Python, enabling faster scans.

As a preparation, this update restructures some rules, simplifying the result set while maintaining detection accuracy.

What's New?

• JavaScript DDoS Detection: Instead of multiple findings, only the misconfigured web server instance will be highlighted.

• Python XSS Detection (when using the Jinja Framework): Repeated findings are consolidated into a single misconfiguration highlight for better clarity.

This update will roll out as part of our JavaScript and Python language support on March 10, 2025.

We’re expanding Snyk Code’s Java support with the addition of Spring WebFlux, a widely used reactive web framework.

What’s New?

• Recognize WebFlux APIs, including Mono and Flux types, to better understand application behavior.

• Detect tainted data sources in functional endpoints, improving security analysis for reactive applications.

This update will be available as part of our Java language support on March 17, 2025.

We’ve released a CLI hotfix (v1.1295.4), resolving CVE-2025-21614. This hotfix upgrades necessary dependencies and maintains the same user experience as the previous stable version.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version!