Skip to main content

Changelog

2025 Weeks 5-6โ€‹

Newโ€‹

  • Veracode vulnerabilities are read from the SCA database.

Improvedโ€‹

  • Upgraded OPA policy engine

2025 Week 5โ€‹

Newโ€‹

  • Additional advisory sources from OSV (notably OSSF MAL and RUSTSEC).

Improvedโ€‹

  • Incomplete package versions are no longer returned by /versions.

Fixedโ€‹

  • Vulnerability affected version range tests are more accurate.
  • Vulnerabilities properly affect old versions of Rubygems packages.
  • Vulnerabilities properly affect new versions released after the vulnerability was published.
  • Vulnerabilities are properly withdrawn when they no longer affect a package version.
  • Vulnerabilities with CVSS4 vectors now have correct base scores instead of 0.0.
  • Package search results now have correct published timestamps or default to 1970 if unknown.

Removedโ€‹

  • Swagger UI hosted at /api/v0/swagger.
  • SUCCESS comments are no longer added to PRs.

2024 Week 50โ€‹

Newโ€‹

  • CVSS information in policy input.

Improvedโ€‹

  • Removed confusing "for the given id" language in 404 descriptions.

2024 Week 49โ€‹

Newโ€‹

  • Incomplete (un)suppression endpoints for projects.

Fixedโ€‹

  • Unsupported PURL components now behave consistently across package check and submission endpoints.

2024 Week 47โ€‹

Newโ€‹

  • organization query parameter for filtering search results.
  • Project get_endpoint now returns the owning organization and group.

Improvedโ€‹

  • filter.organization parameter on the list projects endpoint now refers to the user's personal org when set to "-".

Fixedโ€‹

  • Token docs link now respects UI base URL.
  • GitHub installation ownership is not transferred with legacy groups.
  • Package versions endpoint no longer returns 500 errors for invalid timestamps.
  • Continuous monitoring detects issues even if only some occurrences are blocked.

Removedโ€‹

  • /download and /download-url package endpoints.

2024 Week 44โ€‹

Newโ€‹

  • unsuppress-packages endpoint to remove all package suppressions.
  • pipeline_status and pipeline_error fields added to FullPackage responses.
  • Endpoints for managing packages that are complete while processing.
  • Package ID included in issue suppression audit logs.

Improvedโ€‹

  • incomplete_packages in reports is now a list of structs instead of strings.
  • Members can set project policies via PUT /projects/<id>/policies.

Fixedโ€‹

  • PackageSpecifierWithPurl schema no longer incorrectly requires version.
  • submit_endpoint no longer returns AlreadyProcessed for unprocessed packages.
  • Organization groups are now properly considered in searches.
  • Old group audit events now appear when filtering by the new owner organization.
  • PyPI package release counts are now accurate.
  • Project count in project list metadata is now correct.

Removedโ€‹

  • Search metadata endpoint.

2024 Week 41โ€‹

Fixedโ€‹

  • Restored deprecated suppressed property.
  • Empty package status errors are ignored.

Removedโ€‹

  • Group IDs from policy locators.

2023 Weeks 49-52โ€‹

Newโ€‹

  • UI: Added an email invitation system when attempting to add an unknown user to a group
  • Extension: Added a Snyk import extension

2023 Weeks 43-48โ€‹

Newโ€‹

  • Notifications: Added email and webhook notification feature that triggers on continuous monitoring events
  • Integration: Added an integration for Snyk
  • Integration: Added an integration for Sumo Logic
  • Integration: Added an integration for CircleCI
  • Authentication: Added support for AzureAD authentication provider

Improvedโ€‹

  • UI: Improved color palette
  • SBOM: Added vulnerabilities to CycloneDX exports

2023 Weeks 37-42โ€‹

Newโ€‹

  • CLI/CI: Added support for manifest files by leveraging lockfile generation
  • Integration: Added an integration for Netskope
  • Experimental: Added GenerativeAI remediation suggestion capability

2023 Weeks 31-36โ€‹

Newโ€‹

  • API Token: Added an API token service making it much easier to interact directly with the API
  • Policy: Added support for group-level package suppression
  • CLI: Capture and display lockfile paths making it easier to see where a dependency comes from
  • SBOM: Added CycloneDX support for both SBOM ingest and export

Improvedโ€‹

  • UI: Improved project detail page view focusing more on package-level triage
  • CLI: Added bundle and cargo extensions for Phylum pre-check
  • Search: Added support for contexualized CVE searching in the global search bar
  • Dashboard: Added contexualized dashboard elements

2023 Weeks 25-30โ€‹

Newโ€‹

  • Search: Added a global search bar which can include contextualized results from your projects
  • Policy: Added support for group-level policy preferences
  • Integration: Added an integration for Tines

Improvedโ€‹

  • CLI: Support for NuGet's packages.lock.json lockfiles
  • CLI: Support for pnpm-lock.yaml lockfiles

2023 Weeks 19-24โ€‹

Newโ€‹

  • Threat Feed: Added a threat feed capability highlighting software supply chain attacks (contact sales if interested)
  • Dashboard: Created Dashboard view showing software supply chain statistics
  • CLI: Added support for lockfile generation from manifest files (updated list of supported filetypes here)

Improvedโ€‹

  • CLI: Added pip version checking to the phylum pip extension
  • CLI: Removed pip-compile requirement for lockfile generation
  • SBOM: SPDX export supports PURL
  • SBOM: SPDX ingest supports tag:value format

2023 Weeks 13-18โ€‹

Newโ€‹

  • Policy: Open Policy Agent (OPA) has been implemented allowing users to create custom policies
  • Event Logs: A UI view was added showing project/group event logs
  • SBOM: SPDX export added for generating an SBOM from a Phylum project
  • SBOM: spdx added as a type allowing an SBOM to be analyzed with the phylum analyze -t spdx command

Improvedโ€‹

2023 Weeks 7-12โ€‹

Newโ€‹

  • Integrations: A Bitbucket Cloud integration was created

Improvedโ€‹

  • CLI: v4.7.0 was released including automatic lockfile detection

2023 Weeks 1-6โ€‹

Newโ€‹

  • Groups: The ability to delete Groups was added to the UI/CLI/API
  • CLI: An extension supporting the pip package manager for installation pre-check and sandboxing was published

Improvedโ€‹

  • CLI: phylum package command now automatically submits a package for analysis if results are not already available
  • Analysis: Phylum project/analysis job submissions can now contain multiple lockfiles/ecosystems