Supported package managers
Last updated: Mar 16, 2026
Supported
Currently, these are the package managers supported by Fluid Attacks:
- nuget (.csproj, Directory.Packages.props, nuget.config, packages.lock.json)
- pub (pubspec.lock, pubspec.yaml)
- Go (go.mod, go.sum)
- Gradle (build.gradle, build.gradle.kts, settings.gradle, settings.gradle.kts, gradle-wrapper.properties, AndroidManifest.xml)
- Maven (pom.xml)
- Bun (bun.lockb, bunfig.toml)
- NPM (.npmrc, npm-shrinkwrap.json, package.json, package-lock.json)
- Yarn (.yarnrc, .yarnrc.yml, package.json, yarn.lock)
- PNPM (package.json, pnpm-lock.yaml, pnpm-workspace.yaml)
- Composer (composer.json, composer.lock)
- Pip (pyproject.toml, requirements.in, requirements.txt, requirements-dev.txt, requirements-prod.txt, setup.py)
- Poetry (poetry.lock, pyproject.toml)
- Pipenv (Pipfile, Pipfile.lock)
- UV (pyproject.toml, uv.lock)
- Bundler (Gemfile, Gemfile.lock)
- Rubygems (.gem)
- SBT (build.sbt)
- Swift (Package.resolved, Package.swift)
- Cocoapods (Podfile, Podfile.lock)
The following are the extensions of other supported files that work as dependency sources:
- .ascx
- .html
- exe.config
Unsupported
Fluid Attacks’ package manager support does not currently include the following:
- Ant
- Bazel
- Bower
- Cargo
- Carthage
- Conan
- CPAN
- Dep
- Glide
- godep
- Govendor
- HEX
- Ivy
- JARs
- Mix
- Paket
- pip-tools
- Yarn 2
- Yarn 3
Search for vulnerabilities in your apps for free with Fluid Attacks’ automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan . If you prefer the Advanced plan, which includes the expertise of Fluid Attacks’ hacking team, fill out this contact form .