Snyk Documentation

How it works

  1. Integration is configured and users enable automatic upgrade PRs.
  2. Snyk scans your projects as you import them and continues to monitor your projects, scanning on a regular basis thereafter.
  3. Per scan, when dependencies with new versions are identified, Snyk does the following:
    • Snyk creates automatic upgrade PRs (frequency based on Snyk project settings); - only one per dependency at a time.
    • Snyk opens separate PRs for different dependencies.
    • No more than 10 upgrade PRs from Snyk are created simultaneously (defaulting to 5) - if the limit of open PRs is reached, no new ones are created. This number can also be limited further from the Settings.
    • Snyk recommends only patch and minor upgrades. Snyk does not recommend any upgrades that are known to potentially break your project nor upgrades that are known to contain vulnerabilities not already found in your project.
    • Snyk does not recommend upgrades to versions that are less than a week old.