# Supported Ecosystems

## Overview

Nullify discovers manifests automatically and keeps the following ecosystems up to date. “Autofix” indicates that Nullify can draft upgrade pull requests for that manifest. “Reachability” shows where we trace exploit paths through application code before alerting.

| Ecosystem      | Manifest Files                                                            | Autofix Support | Reachability |
| -------------- | ------------------------------------------------------------------------- | --------------- | ------------ |
| Bun            | `bun.lock`                                                                | Yes             | No           |
| Cargo (Rust)   | `Cargo.toml`, `Cargo.lock`                                                | Planned         | No           |
| Composer (PHP) | `composer.json`, `composer.lock`                                          | Yes             | No           |
| Go Modules     | `go.mod`, `go.sum`                                                        | Yes             | Yes          |
| Gradle         | `build.gradle`, `gradle.lockfile`, `libs.versions.toml`                   | Yes             | No           |
| Maven          | `pom.xml`                                                                 | Yes             | Yes          |
| npm / pnpm     | `package.json`, `package-lock.json`, `pnpm-lock.yaml`                     | Yes             | Yes          |
| Yarn           | `yarn.lock`                                                               | Yes             | No           |
| NuGet (.NET)   | `.csproj`                                                                 | Planned         | No           |
| Pipenv         | `Pipfile`, `Pipfile.lock`                                                 | Planned         | No           |
| Poetry         | `poetry.lock`                                                             | Planned         | No           |
| PyPI / Conda   | `requirements.txt`, `pyproject.toml`, `environment.yml`, `conda-lock.yml` | Yes             | Yes          |
| RubyGems       | `Gemfile`, `Gemfile.lock`                                                 | Yes             | No           |
| uv             | `uv.lock`                                                                 | Planned         | No           |

> ℹ️ “Planned” indicates manifest ingestion and alerting are live today, with automated upgrades scheduled for release. Security Program Management campaigns can still orchestrate manual remediation workflows for those ecosystems.