Snyk Documentation

How it works

  1. Integration is configured and users enable automatic upgrade PRs.
  2. Snyk scans your projects as you import them and continues to monitor your projects, scanning on a regular basis thereafter.
  3. Per scan, when dependencies with new versions are identified, Snyk does the following:
    • Snyk creates automatic upgrade PRs (frequency based on Snyk project settings)
    • Snyk will not open a new upgrade PR for a dependency that is already changed (upgraded or patched) in an open Snyk PR.
    • Snyk opens separate PRs for each dependency.
    • Snyk will not create upgrade PRs for a repo that has 5 or more Snyk PRs open - if the limit of open PRs is reached, no new ones are created. This number can set to between 1-10 from the Settings. This limit only applies when creating upgrade PRs, but does count fix PRs. Fix PRs are not limited in this way.
    • Snyk recommends only patch and minor upgrades. Snyk does not recommend any upgrades that are known to potentially break your project nor upgrades that are known to contain vulnerabilities not already found in your project.
    • Snyk does not recommend upgrades to versions that are less than a week old.
    • Snyk does not recommend versions that introduce new vulnerabilities.