Supported languages and dependency files

Tidelift supports many different package manager ecosystems.

We work out your dependencies with the same files used by package managers. A manifest file describes your application's direct requirements, while a lockfile snapshots exact versions and transitive dependencies at a moment in time. Tidelift can best analyze your dependencies if we have both files.

Fully Supported

Ecosystem Supported Manifests Supported Lockfiles
Ruby (RubyGems)
  • *.gemspec
  • Gemfile
  • Gemfile.lock
Python (PyPi)
  • requirements.txt
  • Pipfile
  • Pipfile.lock
JavaScript (npm)
  • package.json
  • yarn.lock
  • package-lock.json
PHP (Packagist)
  • composer.json
  • composer.lock
Java (Maven)
  • pom.xml
  • ivy.xml
  • gradle-dependencies-q.txt (run gradle dependencies -q > gradle-dependencies-q.txt and upload gradle-dependencies-q.txt with that exact name)
  • xml files from your .ivy2 directory
  • maven-resolved-dependencies.txt (run mvn dependency:list -DoutputFile=maven-resolved-dependencies.txt and upload maven-resolved-dependencies.txt with that exact name). More information on how to use the plugin can be found in the Dependency Plugin Documentation .

Beta Support

We have beta support for quite a few other package managers. If you try these and have feedback for us, please email

Note that this beta list is not yet subject to our full scope of support for paying subscribers. However, if you are a subscriber we'd love to extend our coverage to the package managers you care about.

  • npm
    • npm-shrinkwrap.json
    • Note that package.json, package-lock.json, and yarn.lock are in the fully-supported list above
  • RubyGems
    • gems.rb
    • gems.locked
    • Note that *.gemspec, Gemfile, and Gemfile.lock are in the fully-supported list above
  • PyPi
    • req*.txt
    • req*.pip
    • requirements/*.pip
    • Note that requirements.txt, Pipfile, and Pipfile.lock are in the fully-supported list above
  • Maven
    • build.gradle (sometimes we can get something from this, but rarely; it's better to upload gradle-dependencies-q.txt as noted in the fully-supported list above)
    • Note that pom.xml, ivy.xml, gradle-dependencies-q.txt, and .ivy2 cache xml files are in the fully-supported list above.
  • Nuget
    • packages.config
    • Project.json
    • Project.lock.json
    • *.nuspec
    • paket.lock
    • *.csproj
  • Bower
    • bower.json
  • CPAN
    • META.json
    • META.yml
  • CocoaPods
    • Podfile
    • Podfile.lock
    • *.podspec
  • Clojars
    • project.clj
  • Meteor
    • versions.json
  • CRAN
  • Cargo
    • Cargo.toml
    • Cargo.lock
  • Hex
    • mix.exs
    • mix.lock
  • Swift
    • Package.swift
  • Pub
    • pubspec.yaml
    • pubspec.lock
  • Carthage
    • Cartfile
    • Cartfile.private
    • Cartfile.resolved
  • Dub
    • dub.json
    • dub.sdl
  • Julia
  • Shards
    • shard.yml
    • shard.lock
  • Go
    • glide.yaml
    • glide.lock
    • Godeps
    • Godeps/Godeps.json
    • vendor/manifest
    • vendor/vendor.json
    • Gopkg.toml
    • Gopkg.lock
  • Elm
    • elm-package.json
    • elm_dependencies.json
    • elm-stuff/exact-dependencies.json
  • Haxelib
    • haxelib.json
  • Hackage
    • *.cabal
    • cabal.config

Again, the list above is in beta; see the table at the top of the page for the fully-supported list.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us