What's new
Feature releases, improvements, and fixes — in chronological order.
Changelog entries
Java Maven + Gradle support
Full call graph analysis now available for Java projects using Maven or Gradle. Supports Spring Boot, Quarkus, and standard library entry points. Tested against repos ranging from 50K to 2M LOC.
Auto fix PR generation
Pro plan users can now enable automatic fix PR creation. When Patchlynx finds a reachable CVE with an available patch, it opens a companion PR with the dependency upgraded. One click to merge.
Faster analysis for monorepos
Incremental analysis caching reduced average scan time for monorepos with multiple lockfiles from 38s to 9s. Patchlynx now detects which workspaces are affected by a lockfile change and scopes analysis accordingly.
Slack alerts for reachable CVEs
Connect your Slack workspace in dashboard Settings. Get notified when a PR introduces a reachable vulnerability — with direct link to the finding and fix suggestion. Configurable per-repository and per-severity.
Improved Python dynamic import handling
Extended the Python call graph engine to handle importlib.import_module() when the module name is a string literal. Reduces false negatives in plugin-based architectures.
Rust + Cargo support (GA)
Rust analysis now generally available. Supports Cargo.lock v3 and v4 formats. Call graph traces through trait implementations and async Tokio runtime entry points.
Resolved false positive in re-export patterns
Fixed a case where barrel exports (export * from './module') caused over-approximation of the call graph in TypeScript projects, leading to some not-reachable CVEs being reported as reachable.
Go modules support (GA)
Go reachability analysis now generally available. Supports go.sum and go.mod, including indirect dependencies. Interface method dispatch is handled conservatively — if a call site dispatches via interface and the concrete type is ambiguous, we mark the CVE as potentially reachable rather than miss it.
GitLab + Bitbucket integrations (GA)
GitLab merge request checks and Bitbucket Pipelines status checks now generally available. Supports group-level GitLab App installation and workspace-level Bitbucket OAuth. Both use the same reachability engine as the GitHub integration.
Initial release: JavaScript/TypeScript + Python reachability
Patchlynx launches with reachability analysis for JavaScript, TypeScript, and Python. Core features: lockfile diff-based PR scanning, call graph construction from configured entry points, CVE intersection against NVD and GitHub Advisory Database, inline PR check comments with call chain evidence.