Product Updates

Maven 4 is the long-awaited next major upgrade for Maven. We are happy to announce General Availability (GA) support for Maven 4 Release Candidate 4 (RC4). This new capability is available for both our command-line interface (CLI) and source code management (SCM) integrations, giving you the opportunity to test your repositories with this new version of Maven before its official release.

While the official Maven 4 GA release date is not set, we want to provide an opportunity to test your projects in advance. By supporting the final planned Release Candidate, you can get ahead of the official upgrade and help us by giving feedback before the final release.

This update is for early adopters who want to test their repositories against Maven 4 before it becomes official. You can now use Snyk to scan your Maven 4 RC4 projects through the CLI and your SCM integrations. Please be aware that this is support for a Release Candidate, and the following features are not supported:

• CI-friendly variables

• Conditional Profile Activation

• Alternative Project Object Model (POM) syntaxes

Snyk Suport for Java and Kotlin

We’re pleased to share that on November 5th, 2025 we will release improvements to Reachability for JavaScript and TypeScript. Upon release, Reachability will be supported for over 98% of applicable vulnerabilities, helping you better prioritize which issues to fix first.

You may see minor fluctuations in the reachability and Risk Score for issues in your npm, pnpm, or Yarn projects.

This release is a part of ongoing engine improvements related to coverage and quality. You can expect similar improvements to be released twice monthly for all languages in General Availability, helping to regulate false positives and negatives across your projects.

To learn more about how to get up and running with Reachability, please read our User Docs.

We're happy to announce that we now support Python 3.14. Following its release on October 7, 2025, this support is now generally available (GA). You can now scan your Python 3.14 projects using both the command line interface (CLI) and your source control manager (SCM) integrations.

Python is a top-priority ecosystem for many of our users. We're committed to providing support for new language versions as quickly as possible so you can upgrade and stay secure without interruption.

You can now import and scan your Python 3.14 projects from the CLI or your connected SCM. Please remember: if your project does not have a Python version specified, you need to configure it in the UI to use Python 3.14.

To learn more, visit Snyk for Python in our user documentation.

We’re pleased to announce that on October 20th, we will be releasing several improvements to the Reachability analysis for Snyk Open Source. 

• As a Group admin, you can now enable Reachability for your Orgs at scale by using new Group-level settings. See our User Docs for more details on how to set this up.

• As part of the Early Access of Reachability for Python, we’ve improved our vulnerability coverage. Reachability is now supported for over 99% of applicable vulnerabilities. You may see an increase in the number of issues detected as reachable across pip, pipenv, and Poetry projects.

• In June, we announced that you can expect to see ongoing coverage improvements to Reachability for Java. We have made some changes that will provide greater coverage for your packages. You may see an increase in the number of issues detected as reachable across Maven and Gradle projects.

• We’ve made some tweaks to how we handle transitivity in first party code, now capturing only the “entry points” where you directly call third-party packages. This should improve performance and make the reachable paths information easier to understand. 

We hope these improvements make it easier for you to begin using reachability as a prioritization signal when planning your remediation efforts. If you have any questions, please reach out.

We're excited to announce that our support for the pnpm package manager is now generally available (GA). This update applies across the command line interface (CLI) and all Snyk source code management (SCM) integrations. Any new pnpm projects you import will now be correctly identified and scanned.

This has been a top request from the JavaScript community. We listened to your feedback and are thrilled to deliver this improvement to better support your workflows.

There is no action required from you. Over the next month, we will automatically migrate any of your existing projects that were previously misidentified as npm projects. All project history and any ignores you have configured will be preserved during this migration.

To learn more, visit the Supported Languages List in our user documentation.

Users have reported having duplicated repository count in Inventory for their Azure DevOps repositories. Snyk has developed a fix for this issue which will be applied in all regions on September 17th. No action is required to apply the fix. Users affected by the duplications will see a corresponding decrease in their repository count in the Inventory.

For any questions, don't hesitate to reach out to the Snyk support team.

Atlassian will deprecate App Passwords in Bitbucket Cloud and transition to API tokens, which provide a more secure authentication method, increased admin flexibility, and additional expiry controls. To align and support this change, Snyk Essentials will be supporting API tokens starting September 9th.

Main highlights include:

• Support of the API Key

• Users who integrate on or after September 9th, 2025, will need to provide user email and API Key

• Existing integrations that are already using app passwords will continue to function without interruption until June 9th, 2026, when app passwords will stop working entirely (or if the app password expires before June 9th).

Users are advised to migrate to the API key starting September 9th, 2025. For any questions, don't hesitate to reach out to the Snyk support team.

Over the coming weeks we will be releasing a number of exciting improvements for JavaScript developers across the npm, pnpm, and Yarn ecosystems.

✨ pnpm general availability (GA)

pnpm is a fast and efficient JavaScript package manager often used for large monorepos. We’re excited that our support for pnpm will be generally available across CLI and SCM integrations in October 2025.

Starting on September 10th, we will begin gradually rolling out support to all customers. During this time, Snyk Projects previously misidentified as npm due to the presence of a package.json will be migrated to pnpm, maintaining all history and ignores.

Here's a summary of what's supported, but please keep an eye on our User Docs for more details:

• pnpm versions 7-10, including workspaces

• All Snyk SCM integrations

• Snyk CLI

• Snyk CI plug-ins

• PR Checks

• Fix PRs

✨ npm & Yarn improvements (GA)

npm and Yarn are two of the most extensively used package managers in the JavaScript ecosystem.

Over the next month, we will be gradually rolling out some minor improvements to how we scan Projects from these ecosystems in our SCM integrations—improving accuracy and offering consistency with our CLI.

Stay tuned for the following changes:

• Snyk now supports using multiple versions of the same dependency with Yarn through our SCM integrations. Previously, this would lead to errors.

• Snyk now correctly throws errors for out-of-sync Yarn manifest files using resolutions, when running under the default strict out of sync mode. Previously, this setting would get ignored for Yarn resolutions.

• Snyk now supports dependency aliases with Yarn and npm through our SCM integrations. Previously, aliases were not supported and could lead to false negatives.

• Snyk now offers more accurate results for npm projects using top level Bundled Dependencies.

These improvements have the potential to change the number of dependencies and issues detected in the project.

Over the coming weeks we will be introducing a few improvements to Maven and Ruby projects imported through SCM integrations.

Ruby

Starting today, we are releasing minor improvements to Fix PRs for Ruby.

• Snyk fixes vulnerabilities by updating vulnerable gems, running bundle update to re-lock your Gemfile.lock.

• When a Ruby version is not explicitly declared in the Gemfile, Snyk now defaults to Ruby 3.3 or latest. Previously, Snyk would default to 2.7.

• Additionally, Snyk now supports Ruby versions 3.3 and 3.4.

These changes have no impact on findings, but should improve the success rate of Fix PRs.

Maven

Starting two weeks from today, we’ll start gradually rolling out improvements to dependency resolution for Maven. The roll-out is expected to last approximately 1 month.

• Snapshot artifacts, e.g. org.example:foo:1.0.0-SNAPSHOT are published to Maven with unique versioning information. Snyk was previously not correctly resolving these dependencies, impacting the accuracy of projects and related issues. This will be fixed and projects will accurately detect these dependencies.

• Logic for “provided” transitive dependencies is now correct and aligns with Snyk CLI and how Maven handles these cases.

Both of the Maven improvements have the potential to change the number of dependencies and issues detected in the project.

Please refer to our User Docs for more information on supported languages.

We’re excited to announce that Issue Summary Comments and High-Context Inline Comments will be coming to General Availability for the second wave of SCMs. Starting August 26, 2025, these capabilities will be enabled by default for all customers using PR checks. The rollout will complete by September 8, 2025.

The following SCM integrations are in scope:

• GitLab

• Azure Repos

• Bitbucket Server
  

What’s included in this release

Repositories with PR checks enabled will automatically receive:

• Issue Summary Comments for both success and failure cases (covering Snyk Code + Open Source security and license findings)

• High-Context Inline Comments for Snyk Code issues

Repositories that have either been (1) manually disabled either of the comments after initial enablement or (2) disabled summary comments for success scenarios during Early Access will remain unchanged, ensuring prior preferences are respected.

🛑 Opt-Out Requests

Opt-out requests can be submitted via our dedicated form or through your Snyk POC (include Group/Org IDs). Submissions received on or before Aug 25, 2025 will not be default enabled. To customize your preferences at any time after default enablement, you can simply visit your integration settings in the Snyk WebUI where you can toggle comments off.

This release will be a big step forward in our mission to make security native to the developer experience and we’re excited to see how this helps your teams fix issues faster. Please reach out to your account team if you’d like to join upcoming feedback sessions and help shape the future of Snyk’s Pull Request experience.