Product Updates

Users have reported having duplicated repository count in Inventory for their Azure DevOps repositories. Snyk has developed a fix for this issue which will be applied in all regions on September 17th. No action is required to apply the fix. Users affected by the duplications will see a corresponding decrease in their repository count in the Inventory.

For any questions, don't hesitate to reach out to the Snyk support team.

Atlassian will deprecate App Passwords in Bitbucket Cloud and transition to API tokens, which provide a more secure authentication method, increased admin flexibility, and additional expiry controls. To align and support this change, Snyk Essentials will be supporting API tokens starting September 9th.

Main highlights include:

• Support of the API Key

• Users who integrate on or after September 9th, 2025, will need to provide user email and API Key

• Existing integrations that are already using app passwords will continue to function without interruption until June 9th, 2026, when app passwords will stop working entirely (or if the app password expires before June 9th).

Users are advised to migrate to the API key starting September 9th, 2025. For any questions, don't hesitate to reach out to the Snyk support team.

Over the coming weeks we will be releasing a number of exciting improvements for JavaScript developers across the npm, pnpm, and Yarn ecosystems.

✨ pnpm general availability (GA)

pnpm is a fast and efficient JavaScript package manager often used for large monorepos. We’re excited that our support for pnpm will be generally available across CLI and SCM integrations in October 2025.

Starting on September 10th, we will begin gradually rolling out support to all customers. During this time, Snyk Projects previously misidentified as npm due to the presence of a package.json will be migrated to pnpm, maintaining all history and ignores.

Here's a summary of what's supported, but please keep an eye on our User Docs for more details:

• pnpm versions 7-10, including workspaces

• All Snyk SCM integrations

• Snyk CLI

• Snyk CI plug-ins

• PR Checks

• Fix PRs

✨ npm & Yarn improvements (GA)

npm and Yarn are two of the most extensively used package managers in the JavaScript ecosystem.

Over the next month, we will be gradually rolling out some minor improvements to how we scan Projects from these ecosystems in our SCM integrations—improving accuracy and offering consistency with our CLI.

Stay tuned for the following changes:

• Snyk now supports using multiple versions of the same dependency with Yarn through our SCM integrations. Previously, this would lead to errors.

• Snyk now correctly throws errors for out-of-sync Yarn manifest files using resolutions, when running under the default strict out of sync mode. Previously, this setting would get ignored for Yarn resolutions.

• Snyk now supports dependency aliases with Yarn and npm through our SCM integrations. Previously, aliases were not supported and could lead to false negatives.

• Snyk now offers more accurate results for npm projects using top level Bundled Dependencies.

These improvements have the potential to change the number of dependencies and issues detected in the project.

Over the coming weeks we will be introducing a few improvements to Maven and Ruby projects imported through SCM integrations.

Ruby

Starting today, we are releasing minor improvements to Fix PRs for Ruby.

• Snyk fixes vulnerabilities by updating vulnerable gems, running bundle update to re-lock your Gemfile.lock.

• When a Ruby version is not explicitly declared in the Gemfile, Snyk now defaults to Ruby 3.3 or latest. Previously, Snyk would default to 2.7.

• Additionally, Snyk now supports Ruby versions 3.3 and 3.4.

These changes have no impact on findings, but should improve the success rate of Fix PRs.

Maven

Starting two weeks from today, we’ll start gradually rolling out improvements to dependency resolution for Maven. The roll-out is expected to last approximately 1 month.

• Snapshot artifacts, e.g. org.example:foo:1.0.0-SNAPSHOT are published to Maven with unique versioning information. Snyk was previously not correctly resolving these dependencies, impacting the accuracy of projects and related issues. This will be fixed and projects will accurately detect these dependencies.

• Logic for “provided” transitive dependencies is now correct and aligns with Snyk CLI and how Maven handles these cases.

Both of the Maven improvements have the potential to change the number of dependencies and issues detected in the project.

Please refer to our User Docs for more information on supported languages.

We’re excited to announce that Issue Summary Comments and High-Context Inline Comments will be coming to General Availability for the second wave of SCMs. Starting August 26, 2025, these capabilities will be enabled by default for all customers using PR checks. The rollout will complete by September 8, 2025.

The following SCM integrations are in scope:

• GitLab

• Azure Repos

• Bitbucket Server
  

What’s included in this release

Repositories with PR checks enabled will automatically receive:

• Issue Summary Comments for both success and failure cases (covering Snyk Code + Open Source security and license findings)

• High-Context Inline Comments for Snyk Code issues

Repositories that have either been (1) manually disabled either of the comments after initial enablement or (2) disabled summary comments for success scenarios during Early Access will remain unchanged, ensuring prior preferences are respected.

🛑 Opt-Out Requests

Opt-out requests can be submitted via our dedicated form or through your Snyk POC (include Group/Org IDs). Submissions received on or before Aug 25, 2025 will not be default enabled. To customize your preferences at any time after default enablement, you can simply visit your integration settings in the Snyk WebUI where you can toggle comments off.

This release will be a big step forward in our mission to make security native to the developer experience and we’re excited to see how this helps your teams fix issues faster. Please reach out to your account team if you’d like to join upcoming feedback sessions and help shape the future of Snyk’s Pull Request experience.

We are excited to announce that a couple of new asset enrichments from the SCM will be available beginning July 30th!

The new asset context properties introduced are:

1. SCM Project from BitBucket and Azure DevOps

2. SCM Organization from all SCMs (representing the SCM Organization in GitHub & Azure DevOps,Workspace in BitBucket, and Group in GitLab)

With additional asset context, it is possible to better prioritize and classify repositories based also on their SCM properties. Additionally this enables users to enforce coverage controls based on the SCM properties.

We are constantly working to provide additional asset context! If you have any asset context that you would like to see in Snyk or have any questions, contact the Snyk Support Team.

We've added a new asset policy template to easily keep up with new repositories discovered across all SCMs used within a specific Snyk Group.

The out-of-the-box logic is set notify on newly discovered repositories from the past 7 days that are not yet tested with Snyk. Customers only need to add the list of email recipients to save and start using it.

The template can be tweaked and adjusted as needed.

We’re excited to announce the General Availability of the GitHub Server App!

The app is designed specifically for organizations using self-hosted or private cloud deployments of GitHub Enterprise Server, offering a secure and simplified integration with Snyk as an alternative to the existing integration with personal access tokens (PATs).

With features like Role-Based Access Control (RBAC) and granular repository-level permissions, you can manage access efficiently, ensuring your users only see the data they need. These benefits not only simplify policy management but also align with modern security practices, eliminating the need for managing individual accounts. The app is compatible with the newly introduced Universal Broker. You can access the app directly through the integration page—check out the user docs for more details! 🚀