Product Updates

We are pleased to announce upcoming support for Poetry 2 in Snyk Open Source.

Poetry 2.0.0 was released on Jan 5th, with a number of functional improvements including support for the standard PEP 621 format for declaring dependencies in the pyproject.toml manifest file.

From March 26th, Poetry 2 will be supported in both the Snyk CLI and SCM integrations, with the same features as for Poetry 1.

After this update, to see results for Poetry 2 projects you should take the following actions:

• SCM: Re-import any git repositories containing Poetry 2 projects

• CLI: Upgrade to the new CLI version and run snyk test or snyk monitor as usual.

Customers using the --all-projects CLI param in their CI/CD pipelines may see new findings when Poetry 2 projects are detected as a result of this enhancement.

🔄 More Reliable License Data, Fewer Surprises

We’re rolling out an upgrade to our license data acquisition system for Maven and NPM, bringing fresher, more accurate data and better control over license overrides when needed.

What’s Changing?

✅ More accurate & fresher license data

✅ Previously undetected licenses may now appear, enabling greater compliance

Why It Matters?

This update enhances data reliability and streamlines license overrides, making it easier to manage license compliance with confidence.

📅 Rolling out March 19th! Most customers won't notice this change, but in some cases you may see an increase in High or Critical License Issues depending on your configured License Policies.

On the projects pages, all ignore types will now allow expiration dates to be set. Additionally, the ignore type currently labeled "Ignore Permanently" on the projects page will be relabeled "Won't Fix" to match what is reflected in the API.

Currently, Snyk can automatically create pull requests (PRs) on your behalf to upgrade your dependencies based on the relevant scan results. These can help you pay down your security vulnerability backlog, introduce fixes for newly discovered issues, or keep your dependencies up to date with new versions.

With our new "Snyk Generated Pull Requests" report now available in Early Access, you can visually track and measure the impact of these fix PRs. This report enables you to review how many Snyk Fix, Backlog, and Upgrade PRs were opened, merged, or closed across your repositories, and observe the overall mean time to merge. This report, available for all supported SCM integrations, can be filtered by organization, repository, project, or source and is refreshed every 90 minutes.

To view this report, simply navigate to the Reports section of your Group or Organization and choose “Snyk Generated Pull Requests” from the "Change Report" drop-down menu.

For more information, visit our reports documentation.

As part of our commitment to improving the pull request experience, we’ve introduced key enhancements to Inline Comments which boost developers' productivity by bringing detailed security findings directly into their PRs.

What’s new:

✅ Inline Comments are now capped at 10, prioritizing the most critical vulnerabilities by severity to prevent clutter and avoid SCM rate limits. If more than 10 findings exist, a note in the PR Summary Comment will notify you.

✅ Smarter vulnerability placement ensures that findings reported outside the PR diff are mapped to the nearest relevant changed line, keeping security issues visible even when the exact location isn’t commentable.

These updates streamline security reviews, reducing distractions while ensuring developers can quickly act on vulnerabilities within PRs.

In 2025, Snyk Code will improve PR check performance for JavaScript and Python, enabling faster scans.

As a preparation, this update restructures some rules, simplifying the result set while maintaining detection accuracy.

What's New?

• JavaScript DDoS Detection: Instead of multiple findings, only the misconfigured web server instance will be highlighted.

• Python XSS Detection (when using the Jinja Framework): Repeated findings are consolidated into a single misconfiguration highlight for better clarity.

This update will roll out as part of our JavaScript and Python language support on March 10, 2025.

We’re expanding Snyk Code’s Java support with the addition of Spring WebFlux, a widely used reactive web framework.

What’s New?

• Recognize WebFlux APIs, including Mono and Flux types, to better understand application behavior.

• Detect tainted data sources in functional endpoints, improving security analysis for reactive applications.

This update will be available as part of our Java language support on March 17, 2025.

We’ve released a CLI hotfix (v1.1295.4), resolving CVE-2025-21614. This hotfix upgrades necessary dependencies and maintains the same user experience as the previous stable version.

Release notes can be found here.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version!

Snyk Code now enhances security scan coverage by automatically identifying which implementation belongs to an interface in Java.

This update improves vulnerability detection, especially for Dependency Injection (DI) frameworks and common design patterns that rely on interfaces.

Customers using these patterns may see an increase in detected vulnerabilities.

What’s New?

• Resolves an interface to its first and only detected implementation class.

• Improves scan accuracy for DI-heavy frameworks and reusable design patterns.

• Shipped as part of our ongoing improvements—already available!

Snyk Learn has released an updated reporting interface that is now generally available for all Snyk Enterprise plan customers. This update offers enhanced visibility into developer security training progress for your Snyk Organizations. By default, Snyk Learn Reports are available to Org/Group Admin roles in Snyk.

What’s New?

• Improved Performance: Large download requests are now processed asynchronously, significantly boosting performance for large Snyk Organizations.

• Detailed Reports: Get an overview of learner progress across the Learn catalog, plus user-specific progress reports.

• Custom Role Support: Control who can see Snyk Learn reports for different Snyk Organizations via Custom Role permissions.

• API Access: Learner progress data is available via the Learn API (beta), part of the standard Snyk REST API.

Important Changes: As previously communicated in the Snyk Learn app (from August 2024), Free and Team plans no longer have access to Snyk Learn reporting.