chore: Update release candidate#6808
Conversation
…ret-scan2 fix(mcp): remove --sarif flag as param for secret scanning tool
…me-main docs: synchronizing README from snyk/user-docs
chore: update dependencies to fix vulnerabilities
fix(ci): Avoid fetching sarif schema in tests
fix: upgrade snyk-docker-plugin
…t-acceptance-tests fix: acceptance tests for secrets test output [PS-357]
…ceptance-deps-build-image chore: preinstall linux acceptance deps in build image
SNYK-GOLANG-GOOPENTELEMETRYIOOTELBAGGAGE-15928416 SNYK-GOLANG-GOOPENTELEMETRYIOOTELINTERNALGLOBAL-15928418 SNYK-GOLANG-GOOPENTELEMETRYIOOTELPROPAGATION-15928420
SNYK-GOLANG-STDCRYPTOTLS-15928849
fix: Fix multiple vulnerabilities by upgrading to go1.25.9 and otel-go
…s and normalize for consistent IDs [PS-536]
…epo-url-before-test fix: upgrade cli-extension-secrets to strip credentials from repo URLs and normalize for consistent IDs [PS-536]
fix: add tests for sdp upgrade
…ints chore: update go-application-framework for SARIF fingerprints
…-uv-plugin refactor: use uv plugin behind new interface
fix(ci): remove broken cli-alerts
fix: map uv to correct semver definition
chore: upgrade Node.js runtime from 20 to 22 LTS
fix(dependency): CVE-2026-45022
feat(mcp): add breakability evaluation tool
Address review feedback on the test/monitor request-concurrency knob: - Restore the default to 5 (the prior hard-coded value), so the env-var introduction is purely a configurability change. The default-bump question can be revisited separately once we have telemetry, per Peter's review. - Make the GAF configuration the single source of truth for the user-facing SNYK_REQUEST_CONCURRENCY value: register a new cliv2.ConfigKeyRequestConcurrency key, with snyk_request_concurrency as an alternative key (so the env var feeds the config). The Go side forwards the resolved value to the legacy CLI process via the internal SNYK_INTERNAL_REQUEST_CONCURRENCY env var. The TS helper now reads that internal env var instead of the user-facing one, leaving the public configuration surface owned by Go (and reachable in the future from config files / flags without further TS changes). - Add the new internal env var to the legacy-CLI env blacklist so a user can't bypass the Go config by setting it directly. - A new env var (not the existing MAX_THREADS) keeps HTTP request concurrency separate from the CPU-bound thread pool, per F2F.
Add unit coverage for fillEnvironmentFromConfig's handling of the new ConfigKeyRequestConcurrency: forwards a user-set value to the legacy CLI as SNYK_INTERNAL_REQUEST_CONCURRENCY, omits the internal env when unset, and strips a user-provided internal env so Go remains the source of truth.
chore: sync main with v1.1304.3
Under main.go's WithSupportedEnvVarPrefixes setup (the production config), GAF's IsSet does not pre-bind env vars for alternative keys — only get() does. As a result, config.IsSet(ConfigKeyRequestConcurrency) returned false even when SNYK_REQUEST_CONCURRENCY was set, so the internal env var was never forwarded to the legacy CLI process and the TS code always saw the default concurrency. Switch to GetString and check non-empty: GetString goes through GAF's get(), which binds the alt key before reading. The original unit test passed only because it used WithAutomaticEnv, which bypasses bindEnv entirely and so masked the production behavior. Update the test to construct the config the way main.go does (with WithSupportedEnvVarPrefixes), so the regression is caught next time.
feat: introduce SNYK_REQUEST_CONCURRENCY for dependency request parallelism
feat: Linux ARM64 and Linux AMD64 binaries are now statically linked
Rewrite monitorDependencies in src/lib/ecosystems/monitor.ts to fan out per-ScanResult /monitor-dependencies PUTs in parallel via pMap, bounded by the SNYK_REQUEST_CONCURRENCY limit (default 5). Per-ScanResult work is extracted into monitorOneScanResult for testability and clarity. Container images that produce many ScanResults (e.g. one per directory of JARs in fat-JAR-heavy images) previously incurred one full RTT per scan result, since the prior implementation used a nested for-loop with await. With bounded parallelism this collapses to ~ceil(N / concurrency) sequential batches, materially reducing wall-clock for large images. Error semantics are preserved: - 401 still throws AuthFailedError (terminates the run). - Other 4xx still throws MonitorError (terminates via pMap fail-fast). - 5xx and other non-4xx errors are accumulated per-ScanResult into the errors array, matching the prior continue-on-error behavior. Result order is preserved by pMap based on input order, so output remains deterministic regardless of completion order. Tests cover concurrency cap (default 5), env override via the internal SNYK_INTERNAL_REQUEST_CONCURRENCY contract that the wrapping Go CLI forwards, ordering preservation, 4xx fail-fast, and 5xx accumulation.
feat: parallelize container monitor dependency requests
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
This comment has been minimized.
This comment has been minimized.
PR Reviewer Guide 🔍
|
20 participants
Release Candidate