Tidelift is compatible with many different package manager ecosystems.
We generate a bill of materials for your project with the same files used by package managers. A manifest file describes your application's direct requirements, while a lockfile snapshots exact versions and transitive dependencies at a moment in time. Tidelift can generate the most complete bill of materials if we have both files.
|Ecosystem||Compatible Manifests||Compatible Lockfiles|
We have beta compatibility for quite a few other package managers. If you try these and have feedback for us, please log a support ticket.
Note that this beta list is not yet subject to our full scope of support for paying subscribers. However, if you are a subscriber we'd love to extend our coverage to the package managers you care about.
- Note that package.json, package-lock.json, and yarn.lock are in the fully-supported list above
- Note that *.gemspec, Gemfile, and Gemfile.lock are in the fully-supported list above
- Note that requirements.txt, Pipfile, and Pipfile.lock are in the fully-supported list above
- build.gradle (sometimes we can get something from this, but rarely; it's better to upload gradle-dependencies-q.txt as noted in the fully-supported list above)
- Note that pom.xml, ivy.xml, gradle-dependencies-q.txt, .ivy2 cache xml files, and sbt updateFull output are in the fully-supported list above.
Again, the list above is in beta; see the table at the top of the page for the fully-compatible list.