Supported Ecosystems
Overview
Nullify discovers manifests automatically and keeps the following ecosystems up to date. “Autofix” indicates that Nullify can draft upgrade pull requests for that manifest. “Reachability” shows where we trace exploit paths through application code before alerting.
Bun
bun.lock
Yes
No
Cargo (Rust)
Cargo.toml, Cargo.lock
Planned
No
Composer (PHP)
composer.json, composer.lock
Yes
No
Go Modules
go.mod, go.sum
Yes
Yes
Gradle
build.gradle, gradle.lockfile, libs.versions.toml
Yes
No
Maven
pom.xml
Yes
Yes
npm / pnpm
package.json, package-lock.json, pnpm-lock.yaml
Yes
Yes
Yarn
yarn.lock
Yes
No
NuGet (.NET)
.csproj
Planned
No
Pipenv
Pipfile, Pipfile.lock
Planned
No
Poetry
poetry.lock
Planned
No
PyPI / Conda
requirements.txt, pyproject.toml, environment.yml, conda-lock.yml
Yes
Yes
RubyGems
Gemfile, Gemfile.lock
Yes
No
uv
uv.lock
Planned
No
ℹ️ “Planned” indicates manifest ingestion and alerting are live today, with automated upgrades scheduled for release. Security Program Management campaigns can still orchestrate manual remediation workflows for those ecosystems.
Last updated
Was this helpful?