Product Updates

We are excited to announce the Early Access launch of Breakability Analysis for Snyk Pull Requests, furthering our mission to help developers fix vulnerabilities without slowing down innovation.

We understand that the "fear of breaking the build" is a major blocker to keeping dependencies up to date. Updating a library to fix a security issue shouldn't feel like a gamble. That’s why we have introduced a new predictive risk assessment to help you distinguish between a quick fix and a complex upgrade.

Starting today via Snyk Preview, Snyk will analyze proposed dependency upgrades and assign a Breakability (Merge) Risk Score directly within the PR description:

• 🟢 Low Risk (Safe to Merge): We have high confidence the upgrade contains only non-breaking changes (e.g., security patches or EOL runtime drops). These are strong candidates for auto-merging.

• 🟡 Medium Risk: Caution is advised due to ambiguous change log data or environmental factors.

• 🔴 High Risk (Action Required): We have identified likely breaking changes (e.g., API removals) that likely require code refactoring. These should be prioritized for a dedicated sprint.

This insight allows your team to burn down the backlog of "Low Risk" fixes quickly while preventing "High Risk" upgrades from silently breaking your builds.

This feature is available now in Early Access for supported ecosystems. You can enable it for your organization by navigating to Settings > Snyk Preview.

Read more about the assessment here.

Enjoy merging with confidence!

P.S. Please note that at this time, Breakability Analysis involves sending package information, including the current and proposed upgrade version, to an LLM. AI generated content may contain errors and should be reviewed for accuracy before use.

We’re replacing the OWASP Top 10 (2021) report with the newly updated OWASP Top 10 (2025) report. This update ensures that your security reporting reflects the latest industry standards for web application risks. We’ve also resolved a bug where filters were not correctly applied when navigating from the report to the issue details page.

The Open Web Application Security Project (OWASP) updated their list of the ten most critical web application security risks in 2025. To help you maintain compliance and stay ahead of evolving threats, we’ve updated our reporting to map security issues to these current controls rather than the previous 2021 versions.

You can now view and filter security issues based on the frequency and severity cited in the 2025 OWASP rankings. To access this, navigate to Reports > OWASP Top 10 (2025). While the 2021 version of the report is no longer available in the dropdown menu, you can temporarily still access it via its direct URL if needed.

To learn more, visit OWASP Top 10 report in our user documentation.

We’ve completed the migration of Snyk Advisor into security.snyk.io, bringing package intelligence directly into the security experience.

Package pages now include Snyk Advisor insights alongside vulnerability data, providing a more complete and consistent view of open-source package health.

What’s new

• Snyk Advisor metrics - Popularity, Maintenance, Security, and Community - now appear directly on package pages for supported ecosystems.

• Package health insights can be explored without leaving security.snyk.io.

• Advisor URLs now redirect to their corresponding package pages on security.snyk.io.
  

These updates make it easier to evaluate open source packages in context, supported by the same trusted data that powers Snyk Advisor.

To explore the updated experience, visit any package page on security.snyk.io. For more details, see Snyk Docs and the Blog post.

Snyk Code enhances analysis across multiple language ecosystems

We’ve updated Snyk Code to improve accuracy and coverage for many of the languages and frameworks you use. These enhancements help identify more true positive findings and remove false positives from your results, providing a more reliable view of your security posture.

Expanded language and framework support

The latest updates introduce support for several modern frameworks and libraries:

• C# 14 and .NET 10: Analysis now includes the latest C# and .NET versions, which also covers VB.NET applications built on the .NET 10 framework.

• Kotlin and Java: We improved support for Spring WebFlux and Jax-RS in Kotlin. We also added better coverage for grpc-spring based gRPC clients in both Java and Kotlin.

• JavaScript and TypeScript: Snyk Code now supports the Sequelize library.

• Go: We added support for the Fiber framework.

• Swift: Analysis now includes the grpc-swift library for gRPC use cases.

These changes will be available as part of our general availability support for these ecosystems. You can see these improvements reflected in your scan results in the Web UI or CLI.

The changes will roll out on February 23, 2026.

To learn more, visit Snyk Code language and framework support in our user documentation.

We’ve introduced the follow-scan command to the Snyk API & Web (DAST) command-line interface (CLI) starting with version 0.0.1a15. This update allows the CLI to wait for a scan to finish before your CI/CD pipeline continues. We've also added new configuration options that let you set time limits for scans and define specific vulnerability thresholds that will automatically fail a build. After each run, we provide a direct link to your results for faster triaging.

You can now automatically block high-risk code from progressing through your CI/CD pipeline. By using the latest CLI version, you gain native control over build failures without needing to manage complex workarounds or manual checks.

To learn more, visit Snyk API & Web CLI documentation.

We are pleased to announce the release of new stable versions for our IDE plugins.

The new versions are:

• Visual Studio Code v2.28.0

• JetBrains v2.19.0

• Eclipse v3.7.0

• Visual Studio v2.7.0

This release is focused on enhancing stability and reliability, with key updates including:

• Automated Org Selection is now generally available: When enabled, Snyk will automatically select the most appropriate organization for your project based on context from your repository and your authentication. If an organization is configured manually, this feature will be overridden. If an appropriate organization cannot be identified automatically, the preferred organization defined in your web account settings will be used as a fallback.

• New Unified Settings Page: We are rolling out a new unified design for our plugin settings across all our IDE plugins. Users can opt into this new experience early by following the instructions in the User Docs.

• Risk Scores (Closed Beta): Customers in this closed beta will see a calculated risk score for Open Source issues in the issue details panel and will be able to filter issues by a risk score threshold, in conjunction with existing filters such as severity.

Note: For Visual Studio Code, new Settings will only appear after the application has been restarted.

Please refer to the changelog for each of our plugins for a more detailed list of additional bug fixes and enhancements. You can learn more about the Snyk IDE plugins in our Learn resources.

If you have any questions, feel free to reach out to the Snyk Support team.

We are excited to share that we've made several improvements to how you test CycloneDX and SPDX SBOM files with Snyk, now available in Early Access for Snyk Open Source and Snyk Container.

These changes give you greater feature parity and a more consistent experience across your CLI testing workflows.

Here's what you can expect in Snyk CLI version 1.1302.0 and greater:

• The snyk sbom test command no longer requires the use of the --experimental option.

• You can now use previously unsupported options, including --severity-threshold, --reachability, --reachability-filter. These additions provide more granular control over your SBOM scanning results.

• Findings are returned by default in a human readable output and now include any applicable enrichments such as Reachability, Policy, Ignores, and Fix Advice.

• When you use the --json option, findings will be returned in a new JSON schema.

• We've also introduced clearer error messages, helping you quickly understand and resolve issues if Snyk is unable to test your SBOM file.

To minimize disruption to your workflows, we recommend reviewing your current integration and making any necessary changes prior to updating.

For those using Snyk CLI versions 1.1301.0 and below, the --experimental flag remains supported, and findings are returned in the previous format.

For more details, please refer to our User Docs.

We have added support for scanning Node.js applications that use pnpm as their package manager within container images. When you scan a container image, Snyk will now automatically detect pnpm-lock.yaml files. If your project contains both a lockfile and node_modules, we will use the lockfile to generate a more accurate dependency graph.

Previously, Snyk Container scans for pnpm-based projects relied on node_modules analysis or less granular detection methods. As pnpm adoption has grown due to its speed and disk efficiency, we wanted to ensure container scanning provided the same depth of coverage as our CLI and SCM integrations.

This update brings container scanning into parity with other Snyk integrations. Users will see improved accuracy in their scan results without needing to change any configurations.

This feature is available in the latest Snyk CLI release. To learn more, visit the Supported workloads page in our user documentation.

We have introduced a new optimization mechanism to support scanning for enterprise-scale projects with massive dependency graphs. We added a graph pruning capability that allows scans exceeding the standard maxVulnPathsLimit to complete successfully.

Certain large projects generate dependency graphs with over 100,000 vulnerable paths. Previously, these massive graphs hit a hard limit in the Snyk Container monitor, causing the scan to fail completely for large enterprise workloads.

This unblocks scans for large projects. Users who were previously unable to monitor their largest containers due to timeout or complexity errors can now successfully scan them.

CLI users can use the --prune-repeated-subdependencies flag immediately. Customers using container registry integrations should request that the corresponding Feature Flag be enabled for their organization by contacting support.

We have updated Snyk Container to support scanning for stripped Go binaries and those built using CGo. We have enhanced the scanner to use module-level analysis via .go.buildinfo, allowing Snyk to accurately identify dependencies even when debug information is removed or C libraries are used.

Historically, stripped binaries and CGo builds made it difficult for scanners to accurately parse dependencies, potentially leaving vulnerabilities undetectable. This update closes that visibility gap.

Users scanning Go containers may now see new vulnerabilities that were previously hidden due to the limitations of scanning these specific binary types. This ensures more complete security coverage for Go applications.

This improvement is available in Snyk CLI v1.1302.0 (preview and stable releases). Update your CLI to the latest version to ensure your Go container artifacts are fully covered.