Package managers
Last updated: Jun 18, 2026
Application package managers
| Language | Package manager | Supported versions | Analyzed files |
|---|---|---|---|
| JavaScript / TypeScript | npm | >= 5.0 | package.json, package-lock.json (lockfile versions 1, 2 and 3) |
| JavaScript / TypeScript | Yarn | >= 1.0 | yarn.lock (Classic and Berry formats) |
| JavaScript / TypeScript | pnpm | >= 3.0 | pnpm-lock.yaml (lockfile versions 5, 6 and 9) |
| JavaScript / TypeScript | Bun | >= 1.1.39 | bun.lock (text-based lockfile) |
| Python | pip | >= 1.0 | requirements.txt and other .txt requirements files, requirements.in |
| Python | Poetry | >= 1.0 | poetry.lock, pyproject.toml |
| Python | Pipenv | >= 1.0 | Pipfile, Pipfile.lock |
| Python | uv | >= 0.4.0 | uv.lock, pyproject.toml (PEP 621 and dependency groups) |
| Java / Kotlin | Maven | >= 2.0 | pom.xml (POM model 4.0.0) |
| Java / Kotlin | Gradle | >= 2.0 | build.gradle, build.gradle.kts, settings.gradle, settings.gradle.kts, gradle.lockfile (Gradle >= 6.4), gradle-wrapper.properties |
| Scala | sbt | >= 0.13 | build.sbt |
| C# / .NET | NuGet | >= 1.0 | *.csproj (PackageReference, NuGet >= 4.0), packages.lock.json (NuGet >= 4.9), packages.config, *.deps.json |
| Go | go | >= 1.17 | go.mod |
| Rust | Cargo | >= 1.0 | Cargo.toml, Cargo.lock |
| Elixir | mix (Hex) | >= 1.0 | mix.exs, mix.lock |
| PHP | Composer | >= 1.0 | composer.json, composer.lock, installed.json |
| Ruby | Bundler | >= 1.0 | Gemfile, Gemfile.lock, gems.locked |
| Ruby | RubyGems | >= 1.0 | *.gemspec |
| Dart / Flutter | pub | >= 2.0 (Dart SDK) | pubspec.yaml, pubspec.lock |
| Swift | Swift Package Manager | >= 4.0 (Swift tools) | Package.swift, Package.resolved (pins v2 and v3, Swift >= 5.6) |
| Swift / Objective-C | CocoaPods | >= 1.0 | Podfile, Podfile.lock |
OS package managers
When scanning container images and file systems, Fluid Attacks also detects packages installed by operating system package managers:
| Distribution | Package manager | Supported versions | Analyzed files |
|---|---|---|---|
| Alpine | apk | >= 2.0, < 3.0 | /lib/apk/db/installed (database format v2) |
| Debian / Ubuntu / Distroless | dpkg | >= 1.0 | /var/lib/dpkg/status, /var/lib/dpkg/status.d/* |
| Arch Linux | pacman | >= 3.0 | /var/lib/pacman/local/**/desc |
| RHEL / Fedora / SUSE | rpm | >= 4.0 | rpm databases (BerkeleyDB, NDB and SQLite) and .rpm files |
Other analyzed files
The following sources are not package managers. However, the scanner also extracts dependency information from these files when analyzing repositories, container images and built artifacts:
.jar,.war,.ear,.par,.sar,.nar,.jpi,.hpi,.lpkg(Java archives, including nested archives).apk(Android packages, embedded dependency metadata)*.dist-info/METADATA,*.egg-info,PKG-INFO(installed Python packages).htmland.ascx(CDN script tags).dlland.exe(portable executable metadata).exe.config(.NET Framework runtime version)
Unsupported
Fluid Attacks' package manager support does not currently include the following:
- Ant
- Bazel
- Bower
- Carthage
- Conan
- CPAN
- Dep
- Glide
- godep
- Govendor
- Ivy
- Paket
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' pentesting team, fill out this contact form.