1.1296.0 (2025-03-13)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please seethis documentation

News

• general: Improved error logging and handling

Features

• container: add support for --exclude-node-modules option (4756f27)
• container: adds kaniko support (bfb69c8)
• general: display a unique interactionID alongside each error (960a71c)
• test: python support for local wheel files specifiers (42675eb)
• test: dep-graph json file output (90f24ec)
• test: print legacy tree with json file output (b256937)
• test: display all applicable maven unmanaged identities (ebf6ba1)
• code: enable v1 fingerprints in code sarif output (00644af)
• test: Add 'pkgIdProvenance' labels to dependency graph nodes when the package identity has been changed from what has been discovered in the manifest files (4d529b3)
• test: added Python support for sys_platform (1aa1565)
• language-server AI fix explain (26d118f)
• language-server enable calling mcp commands via ls commands (6f80a03)
• language-server add scan source to metrics (6f80a03)
• language-server add mcp server, refactoring (6f80a03)
• language-server added a new code action and code lens for showDocument (8e7ab06)
• language-server add Option for Pre-Scan command, fix auth race (64920ac)
• language-server add ideStyle variable to static html (0a05e66)
• language-server intiial commit of shared html for scan summary panel (0a05e66)
• language-server send scan summary and scan base & working directory concurrently (1908a08)
• language-server store folder config outside of git repo, add reference folder (50d0770)
• language-server send initial summary panel notification (50d0770)
• language-server add a new $/snyk.scanSummary notificiation (fc80c9c)
• language-server support maven pom hierarchies for highlighting & fixes (e5924fc)
• language-server Sending a user event when fixing inside the editor (e5924fc)
• language-server Sending IDE+extension versions to autofix (a18975a)

Bug Fixes

• container: add container test doc info for --exclude-node-modules (2faf2d1)
• test: fix dotnet UTF-16LE support for target framework (e90075a)
• test: reduce false positives when scanning improved dotnet projects (c21625a)
• test: use --strict-out-of-sync when set to false with pnpm for top level dependencies (8d5b71a)
• test: fix OutOfSync errors in pnpm for download urls (b6e4ea0)
• test: fix OutOfSync errors in pnpm git protocol dependencies (5c8dc34)
• code: Don't write sarif files when no results are found (5a15113)
• code: Support single file test for golang native implementation (d7881f1)
• sbom: mavenAggregateProject with Dverbose or sbom (e88cf71)
• iac: Updates the user messages for snyk iac test --report for IaC V2 (1c9b3b3)
• language-server check folder trust before opening/changing/saving file (26d118f)
• language-server new issue summary totals (6f80a03)
• language-server add correct lesson url for license issues (6f80a03)
• language-server issues with non-UTF-8 encoded files in Snyk Code (8e7ab06)
• language-server ignore first dataflow element for oss fingerprint (64920ac)
• language-server use workdir folderConfig for ref Scan (64920ac)
• language-server test bundle add size property (0a05e66)
• language-server normalize path for file filter and reduce memory footprint (0a05e66)
• language-server add ideScript to Summary html (0a05e66)
• language-server add css variables and headers (0a05e66)
• language-server panic in range_finder (50d0770)
• language-server fix issue metadata used for hashing (fc80c9c)
• language-server use diff without enricher for delta (b213b58)
• language-server move issue view option filtering to the LS to not display ignored diagnostics in editor (b213b58)
• language-server add api version query to explain API URL (b213b58)

1.1295.4 (2025-02-25)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please seethis documentation

Bug Fixes

• security: Upgrades dependencies to addressCVE-2023-37788

1.1295.3 (2025-02-11)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please seethis documentation

Bug Fixes

• security: Upgrades dependencies to addressCVE-2025-21614
• language-server: Improved memory usage when executing code scans on large projects
• language-server: Fix incorrect filtering of files when executing code scans which could fail the analysis
• language-server: Fix random unexpected logouts when using OAuth2 authentication

1.1295.2 (2025-01-24)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please seethis documentation

Bug Fixes

• general: revert dependencies upgrade which introduced a regression on a number of Linux installations

1.1295.1 (2025-01-23)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please seethis documentation

Bug Fixes

• security: Upgrades goproxy to 1.5 to address a high severity vulnerability
• security: Upgrades dependencies in IaC plugin to addressCVE-2025-21614

1.1295.0 (2025-01-08)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please seethis documentation

Features

• iac: include evidence field in json output [IAC-3161] (9487a08)
• auth: auto detect API Url during OAuth authentication (6884511)

Bug Fixes

• test: support verbose gradle graphs for sbom generation (600ef50)
• general: prevent snyk-policy lib from interrupting stdout to ensure valid --json --sarif output (469edf5)
• general: improved error messages around network requests (f6fc5f7)
• general: only read SNYK_ prefixed env vars (5bfcbe8)
• instrumentation: add default oss product for monitor as well (83cabc3)
• container: optional dependencies are properly connected in the dep-graph (3205e66)
• container: package-lock v3 missing sub-dependencies94c9b7f)
• container: support --exclude-app-vulns with oauth (73a75fa)
• monitor: use error catalog messages for monitor commands (4e58601)
• iac: extra error handling and debugging [IAC-3138] (7fbae0f)
• iac: snyk-iac-test security update [IAC-3171] (fac22bb)
• iac: update snyk-iac-parsers version [IAC-3138] (5326d9d)
• iac: use proxy aware snyk-iac-test [INC-1647] (d5d1e2e)
• test: do not treat warnings as errors on restore (d0113eb)
• test:fix mismatch/off-by-one on unmanagedDependencyCount in the analytics logs UNIFY-340 (75d8e6d)
• test: update snyk-nodejs-plugin to fix micromatch vuln (766bd1d)
• test: upgrade mvn-plugin to handle jar scanning sha-not-found error (060380a)
• test: fix runtime versions overwriting nuget versions (5e715cf)
• instrumentation: stop sending CLI args in analytics (6d183fb)
• policy update policy library to fix valid json output (0bc0aed)

1.1294.3 (2024-12-12)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please seethis documentation

Bug Fixes

• security: update golang.org/x/crypto/ssh to fix acritical vulnerability

1.1294.2 (2024-11-26)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please seethis documentation

Bug Fixes

• container: ignore npm/yarn default cache directories
• container: fix: avoid possible unhandled promise rejections

1.1294.1 (2024-11-20)

Bug Fixes

• container: unable to process RedHat images when the “content_sets” attribute was missing in the redhat-content-manifests file. (snyk/snyk-docker-plugin#615)
• container: skip optional dependencies when testing Python projects to prevent "too many vulnerable paths for conversion to legacy test output" error (snyk/snyk-docker-plugin#614)
• container,test,monitor prevents "Invalid JSON" being produced when debugging is enabled and policies are being applied. (#5583)

1.1294.0 (2024-10-23)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please seethis documentation

News

• CycloneDX 1.6 SBOM support This new version now supports generating CycloneDX 1.6 SBOMs using thesnyk sbom command, providing you with more comprehensive and detailed information about your software components and their dependencies.Read more about the CycloneDX version announcement here.
• Improved CLI monitoring of large Cocoapods projects When doing asnyk monitor on very large Cocoapods applications, the CLI sometimes returned anInvalid String OOM error and the operation would fail. Although this error was rare, we have fixed it so large Cocoapods applications can now be monitored successfully.
• Fix for security issue The Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted (PHP|Gradle) project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk always recommends not scanning untrusted projects.

Features

• sbom: add CycloneDX 1.6 SBOM support (1330fc2)
• deployment: Deploy alpine arm64 binaries (9daace4)
• monitor: enable cocoapods to send graphs for cli monitor (ca56c69)
• iac: pass allow analytics flag to snyk-iac-test [IAC-3017] (b12d3ac)

Bug Fixes

• all: restore cert file if it was externally removed (ef1547f)
• auth: missing auth issue with oauth (57ae95c)
• iac: upgrade iac custom rules ext to address vulns [IAC-3065] (d6cc509)
• iac: upgrade snyk-iac-test to v0.55.1 [IAC-2940] (0dadc90)
• monitor: add normalize help for deriving target files [CLI-448] (82efb50)
• sbom: include CVE in JSON output of sbom test command (a543179)
• sbom: add missing option --gradle-normalize-deps to SBOM command (151f63d)
• test: default limit to max vulnerable paths per vuln, add override option--max-vulnerable-paths (302d7ac)
• test: do not show test deps for Dverbose mvn with dependencyManagement (67e0de9)
• test: fixed support for pnpm alias packages (d506de1)
• test: point snyk policy out urls to snyk.io (28509a3)
• test: scan non publishable projects on improved net (a6c0e67)
• test: scan nuget with PublishSingleFile turned on (2c74298)
• dependencies: update snyk-nodejs-plugin to fix micromatch vuln (baef934)
• dependencies: address security vulnerability in snyk-php-pluginCVE-2024-48963 (7798d13)
• dependencies: address security vulnerability in snyk-gradle-pluginCVE-2024-48964 (c614284)
• dependencies: upgrade go-getter to 1.7.5 (970de96)
• dependencies: upgrade iac extension and snyk-iac-test (9134c05)
• dependencies: upgrade slack/webhook to 7.0.3 (8ab4433)