Supported languages and dependency files

Tidelift supports many different package manager ecosystems.

We work out your dependencies with the same files used by package managers. A manifest file describes your application's direct requirements, while a lockfile snapshots exact versions and transitive dependencies at a moment in time. Tidelift can best analyze your dependencies if we have both files.

Fully Supported

Ecosystem Supported Manifests Supported Lockfiles
Ruby (RubyGems)
  • *.gemspec
  • Gemfile
  • Gemfile.lock
Python (PyPi)
  • requirements.txt
  • Pipfile
  • Pipfile.lock
JavaScript (npm)
  • package.json
  • yarn.lock
  • package-lock.json
PHP (Packagist)
  • composer.json
  • composer.lock
Java (Maven)
  • pom.xml
  • ivy.xml
  • gradle-dependencies-q.txt (run gradle dependencies -q > gradle-dependencies-q.txt and upload gradle-dependencies-q.txt with that exact name)
  • xml files from your .ivy2 directory
  • maven-resolved-dependencies.txt (run mvn dependency:list -DoutputFile=maven-resolved-dependencies.txt and upload maven-resolved-dependencies.txt with that exact name). More information on how to use the plugin can be found in the Dependency Plugin Documentation .

Beta Support

We have beta support for quite a few other package managers. If you try these and have feedback for us, please email support@tidelift.com.

Note that this beta list is not yet subject to our full scope of support for paying subscribers. However, if you are a subscriber we'd love to extend our coverage to the package managers you care about.

  • npm
    • npm-shrinkwrap.json
    • Note that package.json, package-lock.json, and yarn.lock are in the fully-supported list above
  • RubyGems
    • gems.rb
    • gems.locked
    • Note that *.gemspec, Gemfile, and Gemfile.lock are in the fully-supported list above
  • PyPi
    • setup.py
    • req*.txt
    • req*.pip
    • requirements/*.pip
    • Note that requirements.txt, Pipfile, and Pipfile.lock are in the fully-supported list above
  • Maven
    • build.gradle (sometimes we can get something from this, but rarely; it's better to upload gradle-dependencies-q.txt as noted in the fully-supported list above)
    • Note that pom.xml, ivy.xml, gradle-dependencies-q.txt, and .ivy2 cache xml files are in the fully-supported list above.
  • Nuget
    • packages.config
    • Project.json
    • Project.lock.json
    • *.nuspec
    • paket.lock
    • *.csproj
  • Bower
    • bower.json
  • CPAN
    • META.json
    • META.yml
  • CocoaPods
    • Podfile
    • Podfile.lock
    • *.podspec
  • Clojars
    • project.clj
  • Meteor
    • versions.json
  • CRAN
    • DESCRIPTION
  • Cargo
    • Cargo.toml
    • Cargo.lock
  • Hex
    • mix.exs
    • mix.lock
  • Swift
    • Package.swift
  • Pub
    • pubspec.yaml
    • pubspec.lock
  • Carthage
    • Cartfile
    • Cartfile.private
    • Cartfile.resolved
  • Dub
    • dub.json
    • dub.sdl
  • Julia
    • REQUIRE
  • Shards
    • shard.yml
    • shard.lock
  • Go
    • glide.yaml
    • glide.lock
    • Godeps
    • Godeps/Godeps.json
    • vendor/manifest
    • vendor/vendor.json
    • Gopkg.toml
    • Gopkg.lock
  • Elm
    • elm-package.json
    • elm_dependencies.json
    • elm-stuff/exact-dependencies.json
  • Haxelib
    • haxelib.json
  • Hackage
    • *.cabal
    • cabal.config

Again, the list above is in beta; see the table at the top of the page for the fully-supported list.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us