snyk · CatalinSnyk · Oct 21, 2025 · Oct 8, 2025 · Oct 8, 2025 · Oct 7, 2025
@@ -19,7 +19,7 @@ parameters:
   go_version:
     type: string
     # https://go.dev/doc/devel/release
-    default: '1.24.6'
+    default: '1.24.8'
   aws_version:
     type: string
     # https://github.com/aws/aws-cli/blob/v2/CHANGELOG.rst
@@ -117,14 +117,14 @@ executors:
     resource_class: arm.medium
   macos-arm64:
     macos:
-      # https://circleci.com/docs/2.0/testing-ios/#supported-xcode-versions
-      xcode: '16.4.0'
-    resource_class: macos.m1.medium.gen1
+      # https://circleci.com/developer/machine/image/xcode#image-tags
+      xcode: '26.1.0'
+    resource_class: m4pro.medium
   macos-arm64-large:
     macos:
-      # https://circleci.com/docs/2.0/testing-ios/#supported-xcode-versions
-      xcode: '16.4.0'
-    resource_class: macos.m1.large.gen1
+      # https://circleci.com/developer/machine/image/xcode#image-tags
+      xcode: '26.1.0'
+    resource_class: m4pro.large
   win-server2022-amd64:
     machine:
       image: windows-server-2022-gui:2024.01.1

@@ -1,25 +1,13 @@
-## [1.1300.0](https://github.com/snyk/snyk/compare/v1.1299.1...v1.1300.0) (2025-10-08)
+## [1.1300.1](https://github.com/snyk/snyk/compare/v1.1300.0...v1.1300.1) (2025-10-20)
 
 The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see [this documentation](https://docs.snyk.io/snyk-cli/releases-and-channels-for-the-snyk-cli)
 
 ### Features
 
-* **general:** Improve SARIF compatibility by adding runAutomationDetails ([3e232e5](https://github.com/snyk/snyk/commit/3e232e52a105620c638b211bbc1a8baddeddb170))
-* **container:** Add support scanning system JARs ([54e84d8](https://github.com/snyk/snyk/commit/54e84d8f4efda07f21b0e729f75440fa4608966c))
-* **container:** Add TargetOS to output of container scan ([aa55cd9](https://github.com/snyk/snyk/commit/aa55cd90683995d4143f43173eddee61ecf88167))
-* **test:** Add support for godot projects ([d9fc200](https://github.com/snyk/snyk/commit/d9fc2008287349c63b3144634549c77cb3864fd9))
-* **test:** Add support for maven metaversions ([f321ffa](https://github.com/snyk/snyk/commit/f321ffa6efdf2f269f0b7fb1a87b91332a7da18e))
-* **language-server:** Add CVSSv4 Links in IDE Issue Details
-* **mcp:** Workflow and performance improvements
-
+* **mcp:** Added support for the MCP server to use IDE extension storage when running in VS Code ([7f26dc6](https://github.com/snyk/snyk/commit/7f26dc63f2b650f88bc27604a5568d9e80bcb2a6))
 
 ### Bug Fixes
 
-* **container:** Fixed crashes when scanning docker images with very large files ([72cb040](https://github.com/snyk/snyk/commit/72cb04083d3c204d6755f194f7ccc6e522788f66))
-* **test:** Re-enable support for python 2.7 ([02c7fe3](https://github.com/snyk/snyk/commit/02c7fe373e3ec1a59d15de1f7fe87e461d3fafb5))
-* **test:** Improved error information when using --all-projects ([36d14f9](https://github.com/snyk/snyk/commit/36d14f940003d093df0bdc9d22a32d9b26b6b252))
-* **test:** Fix a bug due to case-sensitive ignores ([b432406](https://github.com/snyk/snyk/commit/b4324066fbdca2224e3a1aca223cde5b2b6e0ea2))
-* **test:** Resolve project assets file path dynamically ([75a152e](https://github.com/snyk/snyk/commit/75a152ec29e91f9c37a26f0daed77a142cebef39))
-* **iac:** Upgrade iac components to address a vulnerability [IAC-3439] ([eaaaf84](https://github.com/snyk/snyk/commit/eaaaf844237b430d9d9ee7109ada5b5bd2e103a5))
-* **logging:** Fix broken debug logs due to secret redaction by redacting all user input ([0cf19a7](https://github.com/snyk/snyk/commit/0cf19a7dc8b761ec61d7ae0f3f5d160b0e2b0450))
-* **language-server:** Multiple bugfixes
+* **test:** Fix issue where npm aliases only detected the latest version of a dependency ([cb37da7](https://github.com/snyk/snyk/commit/cb37da79febf6e9c44b68eccf444633a6508aa3f))
+* **security:** Upgrades dependencies to address CVE-2025-58058 and CVE-2025-11065 ([d7e87e2](https://github.com/snyk/snyk/commit/d7e87e296f99d299a87533812399830b60b7c0c3))
+* **general:** Improved error messaging ([5d16466](https://github.com/snyk/snyk/commit/5d16466e76ad0d278e62c023001ed78f06b3cd01))
@@ -17,11 +17,11 @@ require (
 	github.com/snyk/cli-extension-os-flows v0.0.0-20250915102829-6a59c2ef7e88
 	github.com/snyk/cli-extension-sbom v0.0.0-20250801142135-ae472dafa4cd
 	github.com/snyk/container-cli v0.0.0-20250321132345-1e2e01681dd7
-	github.com/snyk/error-catalog-golang-public v0.0.0-20251006093240-2d9cc5458485
-	github.com/snyk/go-application-framework v0.0.0-20251006124522-e128dc93338d
+	github.com/snyk/error-catalog-golang-public v0.0.0-20251008132755-b542bb643649
+	github.com/snyk/go-application-framework v0.0.0-20251016104433-d98d8780ade2
 	github.com/snyk/go-httpauth v0.0.0-20240307114523-1f5ea3f55c65
 	github.com/snyk/snyk-iac-capture v0.6.5
-	github.com/snyk/snyk-ls v0.0.0-20251007104647-18cf38d2c118
+	github.com/snyk/snyk-ls v0.0.0-20251016122543-16d8142ff07a
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/pflag v1.0.6
 	github.com/stretchr/testify v1.10.0
@@ -91,7 +91,7 @@ require (
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-test/deep v1.0.8 // indirect
-	github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/gomarkdown/markdown v0.0.0-20250207164621-7a1f277a159e // indirect
@@ -167,7 +167,7 @@ require (
 	github.com/shirou/gopsutil v3.21.11+incompatible // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
-	github.com/snyk/code-client-go v1.24.0 // indirect
+	github.com/snyk/code-client-go v1.24.1 // indirect
 	github.com/snyk/policy-engine v1.1.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/sourcegraph/go-lsp v0.0.0-20240223163137-f80c5dd31dfd // indirect
@@ -178,7 +178,7 @@ require (
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
 	github.com/tklauser/go-sysconf v0.3.14 // indirect
 	github.com/tklauser/numcpus v0.8.0 // indirect
-	github.com/ulikunitz/xz v0.5.12 // indirect
+	github.com/ulikunitz/xz v0.5.15 // indirect
 	github.com/vincent-petithory/dataurl v1.0.0 // indirect
 	github.com/writeas/go-strip-markdown v2.0.1+incompatible // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect

@@ -866,8 +866,8 @@ github.com/go-pdf/fpdf v0.6.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhO
 github.com/go-test/deep v1.0.1/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM=
 github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
-github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk=
-github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
+github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
@@ -1262,22 +1262,22 @@ github.com/snyk/cli-extension-os-flows v0.0.0-20250915102829-6a59c2ef7e88 h1:m6k
 github.com/snyk/cli-extension-os-flows v0.0.0-20250915102829-6a59c2ef7e88/go.mod h1:dFrXORRzFNF+tJ/Z51MPEeWi3IU5MuLWkt1L3dxDMG4=
 github.com/snyk/cli-extension-sbom v0.0.0-20250801142135-ae472dafa4cd h1:bZg7Zkctm2tvaznI8A4/0fFOZMgglNAIFmIIlRz16W0=
 github.com/snyk/cli-extension-sbom v0.0.0-20250801142135-ae472dafa4cd/go.mod h1:zyKDBaETfZyI7BfIjPnezH3QX2seQrR/d7NM5W6LV9s=
-github.com/snyk/code-client-go v1.24.0 h1:ZSh8/1+d6DkG3ZabOAxMrnzBPf4BsBV1O931lQGcOG4=
-github.com/snyk/code-client-go v1.24.0/go.mod h1:3d9rtr06j239obFmF7Ojl9KybivOTR3lz0vsmDNPsRI=
+github.com/snyk/code-client-go v1.24.1 h1:FTCVxRq8kNryq0xKOW8vqEU6s1iWwyaq7zvEN7q0Gn0=
+github.com/snyk/code-client-go v1.24.1/go.mod h1:uMlmMToe4uuNhNLs+yxjM3WFbytna+ytDWhpbnNwTSk=
 github.com/snyk/container-cli v0.0.0-20250321132345-1e2e01681dd7 h1:/2+2piwQtB9fEJCkXEOjboZjY+77lQfnvqBZ/60xNHk=
 github.com/snyk/container-cli v0.0.0-20250321132345-1e2e01681dd7/go.mod h1:38w+dcAQp9eG3P5t2eNS9eG0reut10AeJjLv5lJ5lpM=
-github.com/snyk/error-catalog-golang-public v0.0.0-20251006093240-2d9cc5458485 h1:4cYwZIvqN4hATJMU3kUQwd5hJ9r9Lyt1OUw5egIGRGw=
-github.com/snyk/error-catalog-golang-public v0.0.0-20251006093240-2d9cc5458485/go.mod h1:Ytttq7Pw4vOCu9NtRQaOeDU2dhBYUyNBe6kX4+nIIQ4=
-github.com/snyk/go-application-framework v0.0.0-20251006124522-e128dc93338d h1:i+h8yEvnMR5PcA5cpNza/XgC8I1bhgt0zzWR/OQ/K4E=
-github.com/snyk/go-application-framework v0.0.0-20251006124522-e128dc93338d/go.mod h1:4EUkFRjjrjTfOIxsaNX9n1+esKr9w8Vfez1gysDm/44=
+github.com/snyk/error-catalog-golang-public v0.0.0-20251008132755-b542bb643649 h1:kS6bSbjvfMTc8vqIZzHXzTHKh4kLKt27m0tsJ8T3WQc=
+github.com/snyk/error-catalog-golang-public v0.0.0-20251008132755-b542bb643649/go.mod h1:Ytttq7Pw4vOCu9NtRQaOeDU2dhBYUyNBe6kX4+nIIQ4=
+github.com/snyk/go-application-framework v0.0.0-20251016104433-d98d8780ade2 h1:DXb1yTZWuEuHCcGNxM6jrOKaKdd8NxGxA4FgqQjJToI=
+github.com/snyk/go-application-framework v0.0.0-20251016104433-d98d8780ade2/go.mod h1:M5E4S+LAqV9SWp8QG8eKKrcRPlbJ0ZFZG/z5DmS5NmE=
 github.com/snyk/go-httpauth v0.0.0-20240307114523-1f5ea3f55c65 h1:CEQuYv0Go6MEyRCD3YjLYM2u3Oxkx8GpCpFBd4rUTUk=
 github.com/snyk/go-httpauth v0.0.0-20240307114523-1f5ea3f55c65/go.mod h1:88KbbvGYlmLgee4OcQ19yr0bNpXpOr2kciOthaSzCAg=
 github.com/snyk/policy-engine v1.1.0 h1:vFbFZbs3B0Y3XuGSur5om2meo4JEcCaKfNzshZFGOUs=
 github.com/snyk/policy-engine v1.1.0/go.mod h1:SSZiMz6TiggRAk33duOueWeSG0Xwl0QoZo8hfPcEAh0=
 github.com/snyk/snyk-iac-capture v0.6.5 h1:992DXCAJSN97KtUh8T5ndaWwd/6ZCal2bDkRXqM1u/E=
 github.com/snyk/snyk-iac-capture v0.6.5/go.mod h1:e47i55EmM0F69ZxyFHC4sCi7vyaJW6DLoaamJJCzWGk=
-github.com/snyk/snyk-ls v0.0.0-20251007104647-18cf38d2c118 h1:jG00xXIo4/rT9UDx9bZuvaTUkZHvA2crNhRZrXg7JsU=
-github.com/snyk/snyk-ls v0.0.0-20251007104647-18cf38d2c118/go.mod h1:/nn33EsNm/KA7gqN4Kt4uM/Edi8w8KVjQFDIMfSs4hw=
+github.com/snyk/snyk-ls v0.0.0-20251016122543-16d8142ff07a h1:JVdju+yprVUZygyBqUuaUKds1n4zEt0Aw0aGly3/AXU=
+github.com/snyk/snyk-ls v0.0.0-20251016122543-16d8142ff07a/go.mod h1:/nn33EsNm/KA7gqN4Kt4uM/Edi8w8KVjQFDIMfSs4hw=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/sourcegraph/go-lsp v0.0.0-20240223163137-f80c5dd31dfd h1:Dq5WSzWsP1TbVi10zPWBI5LKEBDg4Y1OhWEph1wr5WQ=
@@ -1333,8 +1333,8 @@ github.com/tklauser/go-sysconf v0.3.14/go.mod h1:1ym4lWMLUOhuBOPGtRcJm7tEGX4SCYN
 github.com/tklauser/numcpus v0.8.0 h1:Mx4Wwe/FjZLeQsK/6kt2EOepwwSl7SmJrK5bV/dXYgY=
 github.com/tklauser/numcpus v0.8.0/go.mod h1:ZJZlAY+dmR4eut8epnzf0u/VwodKmryxR8txiloSqBE=
 github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
-github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc=
-github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
+github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
+github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI=
 github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U=
 github.com/writeas/go-strip-markdown v2.0.1+incompatible h1:IIqxTM5Jr7RzhigcL6FkrCNfXkvbR+Nbu1ls48pXYcw=

@@ -122,7 +122,7 @@
     "snyk-gradle-plugin": "5.1.0",
     "snyk-module": "3.1.0",
     "snyk-mvn-plugin": "4.3.0",
-    "snyk-nodejs-lockfile-parser": "2.2.2",
+    "snyk-nodejs-lockfile-parser": "2.2.4",
     "snyk-nodejs-plugin": "1.4.4",
     "snyk-nuget-plugin": "2.11.0",
     "snyk-php-plugin": "1.12.1",

@@ -12,8 +12,8 @@ export async function maybePrintDepGraph(
   // TODO @boost: remove this logic once we get a valid depGraph print format
   const graphPathsCount = countPathsToGraphRoot(depGraph);
   const hasTooManyPaths = graphPathsCount > config.PRUNE_DEPS_THRESHOLD;
-
-  if (!hasTooManyPaths) {
+  const hasAliases = isDepGraphWithAliases(depGraph);
+  if (!hasTooManyPaths && !hasAliases) {
     const depTree = (await depGraphLib.legacy.graphToDepTree(
       depGraph,
       depGraph.pkgManager.name,
@@ -29,13 +29,32 @@ export async function maybePrintDepGraph(
         console.log(jsonStringifyLargeObject(depGraph.toJSON()));
       } else {
         console.warn(
-          '--print-deps option not yet supported for large projects. Try with --json.',
+          '--print-deps option not yet supported for large projects or with aliases. Try with --json.',
         );
       }
     }
   }
 }
 
+function isDepGraphWithAliases(depGraph: depGraphLib.DepGraph): boolean {
+  const depGraphJson = depGraph.toJSON();
+  for (const node of depGraphJson.graph.nodes) {
+    if (node.info?.labels?.alias) {
+      return true;
+    }
+  }
+  return false;
+}
+
+function isDepTreeWithAliases(depTree: legacyApi.DepTree): boolean {
+  if (!depTree.dependencies) {
+    return false;
+  }
+  return Object.values(depTree.dependencies).some(
+    (dependency) => dependency.labels?.alias,
+  );
+}
+
 // This option is still experimental and might be deprecated.
 // It might be a better idea to convert it to a command (i.e. do not perform test/monitor).
 export function maybePrintDepTree(
@@ -47,7 +66,13 @@ export function maybePrintDepTree(
       // Will produce 2 JSON outputs, one for the deps, one for the vuln scan.
       console.log(jsonStringifyLargeObject(rootPackage));
     } else {
-      printDepsForTree({ [rootPackage.name!]: rootPackage });
+      if (isDepTreeWithAliases(rootPackage)) {
+        console.warn(
+          '--print-deps option not yet supported for large projects or with aliases. Try with --json.',
+        );
+      } else {
+        printDepsForTree({ [rootPackage.name!]: rootPackage });
+      }
     }
   }
 }

@@ -0,0 +1,8 @@
+{
+    "name": "script",
+    "version": "1.0.0",
+    "dependencies": {
+      "hello-world-npm": "npm:hello-world-npm@=1.1.0",
+      "hello-world-npm-v1_1_1": "npm:hello-world-npm@=1.1.1"
+    }
+  }
@@ -0,0 +1,8 @@
+{
+    "name": "script",
+    "version": "1.0.0",
+    "dependencies": {
+      "hello-world-npm": "npm:hello-world-npm@=1.1.0",
+      "hello-world-npm-v1_1_1": "npm:hello-world-npm@=1.1.1"
+    }
+  }
@@ -0,0 +1,8 @@
+{
+    "name": "script",
+    "version": "1.0.0",
+    "dependencies": {
+      "hello-world-npm": "npm:hello-world-npm@=1.1.0",
+      "hello-world-npm-v1_1_1": "npm:hello-world-npm@=1.1.1"
+    }
+  }