RepoWarden supports the most popular languages and package managers. Here is what is available today and what is coming next.
Manifest files detected
package.jsonLock files recognized
package-lock.jsonyarn.lockpnpm-lock.yamlDetection: Detected when package-lock.json is present, or as the default when no lock file is found.
Full support for all semver range operators (^, ~, >=, exact). Workspace references, link:, and file: references are automatically skipped.
Detection: Detected when yarn.lock is present and there is no .yarnrc.yml file or packageManager field specifying Yarn 2+.
Equivalent to npm support. Lock file is regenerated by running yarn install after updates.
Detection: Detected when .yarnrc.yml exists or the packageManager field in package.json specifies a Yarn version >= 2.
Uses the correct Berry-specific install flags. Plug'n'Play and node_modules linkers are both supported.
Detection: Detected when pnpm-lock.yaml is present.
Full support including workspace protocol (workspace:*) references, which are correctly skipped during updates.
Yes -- uses the npm bulk advisory API to check all dependencies against known CVEs. Severity levels (critical, high, moderate, low) are included in PR descriptions.
Manifest files detected
requirements.txtpyproject.tomlPipfileLock files recognized
requirements.txt (pinned)Pipfile.lockpoetry.lockDetection: Detected when requirements.txt is present in the repository root.
Supports all PEP 440 version operators: ==, >=, ~=, <=, !=, >, <. Lines starting with -r, -e, or -c (recursive includes, editable installs, constraint files) are skipped.
Detection: Detected when pyproject.toml contains a [project.dependencies] section.
Parses PEP 508 dependency specifiers inside the dependencies array. Optional dependency groups under [project.optional-dependencies] are also scanned.
Detection: Detected when a Pipfile is present.
Both [packages] and [dev-packages] sections are parsed. Version strings like "==1.2.3" and ">=1.2.3" are supported.
Limited -- Python dependencies are checked against PyPI for latest versions, but advisory-level CVE checking is not yet integrated. This is on the roadmap.
Manifest files detected
Cargo.tomlLock files recognized
Cargo.lockDetection: Detected when Cargo.toml is present in the repository root.
Supports both simple (name = "version") and inline table (name = { version = "x", features = [...] }) dependency declarations. Both [dependencies] and [dev-dependencies] sections are scanned. Cargo's default caret semantics are respected, including the special 0.x behavior where ^0.8 only updates within 0.8.x.
Not yet -- RustSec advisory database integration is planned. Currently, Rust dependencies are checked for version updates only.
Manifest files detected
go.modLock files recognized
go.sumDetection: Detected when go.mod is present in the repository root.
Parses the require block for all direct dependencies. Indirect dependencies are managed by go mod tidy. Replace directives, pseudo-versions (v0.0.0-timestamp-hash), and golang.org/x/ stdlib extensions are automatically skipped.
Yes -- uses govulncheck, the official Go vulnerability scanner. Performs call-graph analysis to determine whether your code actually calls vulnerable functions. Backed by vuln.go.dev.
Manifest files detected
.csprojDirectory.Packages.propsLock files recognized
packages.lock.jsonDetection: Will be detected when .csproj files with PackageReference elements are present.
Planned support for both individual project files and centralized package management via Directory.Packages.props.
Planned -- will integrate with the GitHub Advisory Database for NuGet packages.
We are actively adding support for more runtimes. If your stack is not listed here, let us know and we will prioritize it.
Request a runtime