Skip to main content

Supported Lockfiles

The Phylum CLI supports processing many different lockfiles:

Lockfile typeLockfiles
npmpackage-lock.json
npm-shrinkwrap.json
yarnyarn.lock (Version 1 + 2)
pnpmpnpm-lock.yaml
piprequirements*.txt
pipenvPipfile.lock
poetrypoetry.lock (Version 1 + 2)
gemGemfile.lock
msbuild*.csproj
nugetlockpackages.lock.json
packages.*.lock.json
mvneffective-pom.xml
gradlegradle.lockfile
gradle/dependency-locks/*.lockfile
gogo.sum
gomodgo.mod
cargoCargo.lock
spdx*.spdx.json
*.spdx.yaml
*.spdx.yml
*.spdx
cyclonedx*bom.json
*bom.xml

NOTE:

The lockfile type will be automatically detected based on the filename.

If needed, this can be overridden with the --type (-t) option.


TIP: Manifest Support

Lockfiles can also automatically be generated for certain manifest files. See lockfile generation for details.