2025 Weeks 5-6โ
- Veracode vulnerabilities are read from the SCA database.
Improvedโ
- Upgraded OPA policy engine
2025 Week 5โ
- Additional advisory sources from OSV (notably OSSF MAL and RUSTSEC).
Improvedโ
- Incomplete package versions are no longer returned by
/versions
.
- Vulnerability affected version range tests are more accurate.
- Vulnerabilities properly affect old versions of Rubygems packages.
- Vulnerabilities properly affect new versions released after the vulnerability was published.
- Vulnerabilities are properly withdrawn when they no longer affect a package version.
- Vulnerabilities with CVSS4 vectors now have correct base scores instead of 0.0.
- Package search results now have correct published timestamps or default to 1970 if unknown.
Removedโ
- Swagger UI hosted at
/api/v0/swagger
.
- SUCCESS comments are no longer added to PRs.
2024 Week 50โ
- CVSS information in policy input.
Improvedโ
- Removed confusing "for the given id" language in 404 descriptions.
2024 Week 49โ
- Incomplete (un)suppression endpoints for projects.
- Unsupported PURL components now behave consistently across package check and submission endpoints.
2024 Week 47โ
organization
query parameter for filtering search results.
- Project
get_endpoint
now returns the owning organization and group.
Improvedโ
filter.organization
parameter on the list projects endpoint now refers to the user's personal org when set to "-".
- Token docs link now respects UI base URL.
- GitHub installation ownership is not transferred with legacy groups.
- Package versions endpoint no longer returns 500 errors for invalid timestamps.
- Continuous monitoring detects issues even if only some occurrences are blocked.
Removedโ
/download
and /download-url
package endpoints.
2024 Week 44โ
unsuppress-packages
endpoint to remove all package suppressions.
pipeline_status
and pipeline_error
fields added to FullPackage
responses.
- Endpoints for managing packages that are complete while processing.
- Package ID included in issue suppression audit logs.
Improvedโ
incomplete_packages
in reports is now a list of structs instead of strings.
- Members can set project policies via
PUT /projects/<id>/policies
.
PackageSpecifierWithPurl
schema no longer incorrectly requires version
.
submit_endpoint
no longer returns AlreadyProcessed
for unprocessed packages.
- Organization groups are now properly considered in searches.
- Old group audit events now appear when filtering by the new owner organization.
- PyPI package release counts are now accurate.
- Project count in project list metadata is now correct.
Removedโ
- Search metadata endpoint.
2024 Week 41โ
- Restored deprecated
suppressed
property.
- Empty package status errors are ignored.
Removedโ
- Group IDs from policy locators.
2023 Weeks 49-52โ
- UI: Added an email invitation system when attempting to add an unknown user to a group
- Extension: Added a Snyk import extension
2023 Weeks 43-48โ
- Notifications: Added email and webhook notification feature that triggers on continuous monitoring events
- Integration: Added an integration for Snyk
- Integration: Added an integration for Sumo Logic
- Integration: Added an integration for CircleCI
- Authentication: Added support for AzureAD authentication provider
Improvedโ
- UI: Improved color palette
- SBOM: Added vulnerabilities to CycloneDX exports
2023 Weeks 37-42โ
- CLI/CI: Added support for manifest files by leveraging lockfile generation
- Integration: Added an integration for Netskope
- Experimental: Added GenerativeAI remediation suggestion capability
2023 Weeks 31-36โ
- API Token: Added an API token service making it much easier to interact directly with the API
- Policy: Added support for group-level package suppression
- CLI: Capture and display lockfile paths making it easier to see where a dependency comes from
- SBOM: Added CycloneDX support for both SBOM ingest and export
Improvedโ
- UI: Improved project detail page view focusing more on package-level triage
- CLI: Added
bundle
and cargo
extensions for Phylum pre-check
- Search: Added support for contexualized CVE searching in the global search bar
- Dashboard: Added contexualized dashboard elements
2023 Weeks 25-30โ
- Search: Added a global search bar which can include contextualized results from your projects
- Policy: Added support for group-level policy preferences
- Integration: Added an integration for Tines
Improvedโ
- CLI: Support for NuGet's
packages.lock.json
lockfiles
- CLI: Support for
pnpm-lock.yaml
lockfiles
2023 Weeks 19-24โ
- Threat Feed: Added a threat feed capability highlighting software supply chain attacks (contact sales if interested)
- Dashboard: Created Dashboard view showing software supply chain statistics
- CLI: Added support for lockfile generation from manifest files (updated list of supported filetypes here)
Improvedโ
- CLI: Added
pip
version checking to the phylum pip
extension
- CLI: Removed
pip-compile
requirement for lockfile generation
- SBOM: SPDX export supports PURL
- SBOM: SPDX ingest supports
tag:value
format
2023 Weeks 13-18โ
- Policy: Open Policy Agent (OPA) has been implemented allowing users to create custom policies
- Event Logs: A UI view was added showing project/group event logs
- SBOM: SPDX export added for generating an SBOM from a Phylum project
- SBOM:
spdx
added as a type allowing an SBOM to be analyzed with the phylum analyze -t spdx
command
Improvedโ
2023 Weeks 7-12โ
- Integrations: A Bitbucket Cloud integration was created
Improvedโ
- CLI:
v4.7.0
was released including automatic lockfile detection
2023 Weeks 1-6โ
- Groups: The ability to delete Groups was added to the UI/CLI/API
- CLI: An extension supporting the
pip
package manager for installation pre-check and sandboxing was published
Improvedโ
- CLI:
phylum package
command now automatically submits a package for analysis if results are not already available
- Analysis: Phylum project/analysis job submissions can now contain multiple lockfiles/ecosystems