Package Managers & Manifests - Cysmiq

Overview
Supported file types
JavaScript / TypeScript
Python
Go
Java / Kotlin
.NET
PHP
Ruby
Rust
Elixir / Erlang
Swift
Notes

Overview

Cysmiq parses dependency manifests and lock files to identify packages and match them against vulnerability advisories. This page lists supported file types by ecosystem.

Supported file types

JavaScript / TypeScript

Package Manager	Manifest	Lock File
npm	`package.json`	`package-lock.json`
Yarn	`package.json`	`yarn.lock`
pnpm	`package.json`	`pnpm-lock.yaml`

Python

Package Manager	Manifest	Lock File
pip	`requirements.txt`	-
Poetry	`pyproject.toml`	`poetry.lock`
Pipenv	`Pipfile`	`Pipfile.lock`
PDM	`pyproject.toml`	`pdm.lock`
uv	`pyproject.toml`	`uv.lock`

Go

Package Manager	Manifest	Lock File
Go modules	`go.mod`	`go.sum`
dep	`Gopkg.toml`	`Gopkg.lock`

Java / Kotlin

Package Manager	Manifest	Lock File
Maven	`pom.xml`	-
Gradle	`build.gradle`, `build.gradle.kts`	`gradle.lockfile`
Gradle (settings)	`settings.gradle`, `settings.gradle.kts`	`settings-gradle.lockfile`

.NET

Package Manager	Manifest	Lock File
NuGet	`packages.config`	-
NuGet (central)	`Directory.Packages.props`, `Packages.props`	-
NuGet	-	`packages.lock.json`
NuGet (generated)	-	`project.assets.json`, `*.deps.json`
Paket	-	`paket.lock`

PHP

Package Manager	Manifest	Lock File
Composer	`composer.json`	`composer.lock`

Ruby

Package Manager	Manifest	Lock File
Bundler	`Gemfile`	`Gemfile.lock`

Rust

Package Manager	Manifest	Lock File
Cargo	`Cargo.toml`	`Cargo.lock`

Elixir / Erlang

Package Manager	Manifest	Lock File
Mix	`mix.exs`	`mix.lock`
Rebar	`rebar.config`	`rebar.lock`

Swift

Package Manager	Manifest	Lock File
Swift Package Manager	`Package.swift`	`Package.resolved`

Notes

Lock files provide precise version information for transitive dependencies
When a lock file is present, Cysmiq uses it for version resolution where supported
Some ecosystems (pip with requirements.txt, Maven) don’t use lock files by default
Some .NET inputs are generated outputs used for dependency resolution

Self-hosting configuration Secret Verification Providers

⌘I