Supported Lockfiles
The Phylum CLI supports processing many different lockfiles:
| Lockfile type | Lockfiles |
|---|---|
npm | package-lock.json npm-shrinkwrap.json |
yarn | yarn.lock (Version 1 + 2) |
pnpm | pnpm-lock.yaml |
pip | requirements*.txt |
pipenv | Pipfile.lock |
poetry | poetry.lock (Version 1 + 2) |
gem | Gemfile.lock |
msbuild | *.csproj |
nugetlock | packages.lock.json packages.*.lock.json |
mvn | effective-pom.xml |
gradle | gradle.lockfile gradle/dependency-locks/*.lockfile |
go | go.sum |
gomod | go.mod |
cargo | Cargo.lock |
spdx | *.spdx.json *.spdx.yaml *.spdx.yml *.spdx |
cyclonedx | *bom.json *bom.xml |
NOTE:
The lockfile type will be automatically detected based on the filename.
If needed, this can be overridden with the
--type(-t) option.
TIP: Manifest Support
Lockfiles can also automatically be generated for certain manifest files. See lockfile generation for details.