DependencyDesk supports analyzing dependencies from multiple programming languages and package managers. Below is a detailed breakdown of what's supported and how dependencies are extracted.
Fully Supported
These languages and package managers are fully supported with dependency parsing, version detection, and license identification.
| Language | Package Manager | Files Analyzed | Features |
|---|---|---|---|
| JavaScript / Node.js | npm | package.json, package-lock.json |
Dependencies, dev dependencies, versions, licenses, vulnerability scanning |
| PHP | Composer | composer.json, composer.lock |
Dependencies, dev dependencies, versions, licenses |
| Ruby | Bundler | Gemfile, Gemfile.lock |
Dependencies, dev dependencies, versions |
| Python | pip | requirements.txt, Pipfile, pyproject.toml |
Dependencies, versions |
JavaScript / Node.js (npm)
DependencyDesk provides the most comprehensive support for JavaScript projects using npm:
- Manifest Parsing: Reads
package.jsonto identify declared dependencies - Lock File Support: Uses
package-lock.jsonfor exact version resolution - License Detection: Extracts license information from package metadata
- Vulnerability Scanning: Checks dependencies against the npm security advisory database
- Scoped Packages: Full support for scoped packages like
@types/nodeor@babel/core
Parsed Fields
| Field | Source File | Description |
|---|---|---|
| Name | package.json |
Package name |
| Version | package-lock.json or package.json |
Exact or specified version |
| License | npm registry | Package license |
| Is Dev | package.json |
Whether it's a development dependency |
| Vulnerabilities | npm advisory API | Known security vulnerabilities |
PHP (Composer)
DependencyDesk fully supports PHP projects using Composer:
- Manifest Parsing: Reads
composer.jsonfor declared dependencies - Lock File Support: Uses
composer.lockfor exact version resolution - License Detection: Extracts license from
composer.lockmetadata
Parsed Fields
| Field | Source File | Description |
|---|---|---|
| Name | composer.json |
Package name (vendor/package format) |
| Version | composer.lock or composer.json |
Exact or specified version |
| License | composer.lock |
Package license |
| Is Dev | composer.json |
Whether it's a development dependency |
Ruby (Bundler)
DependencyDesk supports Ruby projects using Bundler:
- Gemfile Parsing: Reads
Gemfilefor declared dependencies - Lock File Support: Uses
Gemfile.lockfor exact version resolution - Group Detection: Identifies development vs production dependencies
Parsed Fields
| Field | Source File | Description |
|---|---|---|
| Name | Gemfile |
Gem name |
| Version | Gemfile.lock or Gemfile |
Exact or specified version |
| Is Dev | Gemfile |
Whether it's in a development group |
Note: License information is typically not available in Ruby manifest files and will be listed as "Unknown".
Python (pip)
DependencyDesk supports Python projects using various package management approaches:
- requirements.txt: Standard pip requirements file
- Pipfile: Pipenv manifest file
- pyproject.toml: Modern Python project configuration
Parsed Fields
| Field | Source File | Description |
|---|---|---|
| Name | Various | Package name |
| Version | Various | Specified version or constraint |
Note: License information is typically not available in Python manifest files and will be listed as "Unknown".
Detected but Not Parsed
DependencyDesk can detect the presence of the following package managers but does not fully parse their dependencies. When detected, these will be listed in the "Unsupported Package Managers" warning on the repository details page.
| Language | Package Manager | Detection Files |
|---|---|---|
| Go | Go Modules | go.mod, go.sum |
| Rust | Cargo | Cargo.toml, Cargo.lock |
| Java | Maven | pom.xml |
| Java / Kotlin | Gradle | build.gradle, build.gradle.kts |
| .NET | NuGet | *.csproj, packages.config |
| Swift | Swift Package Manager | Package.swift |
How Analysis Works
DependencyDesk uses a secure, read-only approach to analyze your dependencies:
- Clone: The repository is cloned using
git clone --depth 1(shallow clone) - Scan: Package manager manifest files are located in the repository
- Parse: Manifest files are read and parsed using PHP's JSON/text parsing
- Enrich: For npm packages, license and vulnerability data is fetched from the npm registry
- Store: Dependencies are stored in the DependencyDesk database
- Cleanup: You can delete the cloned files after analysis is complete
Important: DependencyDesk never executes any package manager commands (npm install, composer install, etc.) inside your repositories. Only static file reading is performed.
Requesting Additional Language Support
If you need support for additional languages or package managers not currently listed, please contact us at [email protected].