Product Updates

Over the coming weeks we will be releasing a number of exciting improvements for JavaScript developers across the npm, pnpm, and Yarn ecosystems.

✨ pnpm general availability (GA)

pnpm is a fast and efficient JavaScript package manager often used for large monorepos. We’re excited that our support for pnpm will be generally available across CLI and SCM integrations in October 2025.

Starting on September 10th, we will begin gradually rolling out support to all customers. During this time, Snyk Projects previously misidentified as npm due to the presence of a package.json will be migrated to pnpm, maintaining all history and ignores.

Here's a summary of what's supported, but please keep an eye on our User Docs for more details:

• pnpm versions 7-10, including workspaces

• All Snyk SCM integrations

• Snyk CLI

• Snyk CI plug-ins

• PR Checks

• Fix PRs

✨ npm & Yarn improvements (GA)

npm and Yarn are two of the most extensively used package managers in the JavaScript ecosystem.

Over the next month, we will be gradually rolling out some minor improvements to how we scan Projects from these ecosystems in our SCM integrations—improving accuracy and offering consistency with our CLI.

Stay tuned for the following changes:

• Snyk now supports using multiple versions of the same dependency with Yarn through our SCM integrations. Previously, this would lead to errors.

• Snyk now correctly throws errors for out-of-sync Yarn manifest files using resolutions, when running under the default strict out of sync mode. Previously, this setting would get ignored for Yarn resolutions.

• Snyk now supports dependency aliases with Yarn and npm through our SCM integrations. Previously, aliases were not supported and could lead to false negatives.

• Snyk now offers more accurate results for npm projects using top level Bundled Dependencies.

These improvements have the potential to change the number of dependencies and issues detected in the project.

Launching in Early Access on August 4th, 2025, Snyk Agent Fix eliminates the manual overhead of resolving vulnerabilities, helping developers merge secure PRs faster while integrating seamlessly into their existing workflows. With Snyk Agent Fix, developers are empowered to act immediately on SAST findings by generating and applying fix suggestions directly within pull requests, reducing context switching and streamlining remediation.

The following capabilities are supported for Early Access:

• Generate fix suggestions using the @snyk /fix command in a PR inline comment, displaying a proposed code change.

• View an explanation of the suggested fix alongside the code snippet.

• Apply the suggested code directly to the PR as a commit using the @snyk /apply command.

• Generate multiple fix suggestions within the same PR, where applicable.

The following Bitbucket integrations: Bitbucket Cloud, Bitbucket Cloud App, and Bitbucket Server will be supported. If you’d like to enable this feature for your organization, you can self-opt in via the Pull Request Experience section in your SCM integration settings.

Check out our user docs for more details and connect with your account team to participate in feedback sessions to shape the future of your workflows with Snyk.

We've released a hotfix for our Visual Studio extension (v2.1.1) to enhance clarity in multi-project setups.

Specifically, we've addressed the following:

• Enhanced Project Identification: The OSS file tree nodes now include the relative path to the project.assets.json file in addition to the project folder path. This change aims to provide a more intuitive and informative experience when working with multi-project workspaces.

If you have any questions, feel free to reach out to the Snyk support team.

We encourage everyone to upgrade to the latest version!