> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cysmiq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Dependencies

> Identify vulnerable packages and CVEs in your dependencies.

## Overview

Cysmiq scans dependency manifests and lock files to identify vulnerable packages and known CVEs across your repositories. Vulnerabilities are matched against advisory databases including [CVE](https://cve.mitre.org/) and [GitHub Security Advisories](https://github.com/advisories).

## How it works

Dependency scanning parses manifests and lock files to build a complete picture of your dependencies:

* **Direct dependencies**: Packages explicitly declared in your manifests
* **Transitive dependencies**: Packages pulled in by your direct dependencies (when lock files are present)
* **Vulnerability matching**: Package versions are checked against known advisories
* **Manifest grouping**: Related manifest and lock files are grouped into the same discovered manifest record where supported

## Enrichment

Dependency vulnerabilities include additional context to help prioritize remediation:

* CVE/GHSA identifiers and descriptions
* Severity scores (CVSS where available)
* EPSS scores when available
* Affected version ranges
* Fixed versions when known
* Links to advisories and remediation guidance

Package pages also show supply-chain context such as licensing and OpenSSF Scorecard data when available.

## Supported package managers

Cysmiq supports manifests and lock files for:

* **JavaScript/TypeScript**: npm, Yarn, pnpm
* **Python**: pip, Poetry, Pipenv, PDM, uv
* **Java/Kotlin**: Maven, Gradle
* **Go**: Go modules
* **PHP**: Composer
* **Ruby**: Bundler
* **Rust**: Cargo
* **.NET**: NuGet, Paket
* **Elixir/Erlang**: Mix, Rebar
* **Swift**: Swift Package Manager

See [Package Managers & Manifests](/reference/package-managers-manifests) for the full manifest file reference.

## SBOMs

SBOMs are generated from dependency data. See [SBOMs](/concepts/sboms) for details.

## Related concepts

* [Assets](/concepts/assets): how manifests and packages are tracked
* [Vulnerabilities](/concepts/vulnerabilities): severity, status, and lifecycle
