Dependency Management
Supported Ecosystems
CodeStax supports scanning dependencies across 9 package ecosystems:
| Ecosystem | Manifest Files | Lock Files |
|---|---|---|
| npm | package.json | package-lock.json, yarn.lock |
| Python (pip) | requirements.txt | — |
| Python (Pipenv) | Pipfile | Pipfile.lock |
| Python (Poetry) | pyproject.toml | poetry.lock |
| Maven | pom.xml | — |
| Gradle | build.gradle | — |
| Go | go.mod | go.sum |
| Rust | Cargo.toml | Cargo.lock |
| Ruby | Gemfile | Gemfile.lock |
| PHP | composer.json | composer.lock |
| NuGet | *.csproj | packages.config |
Dependency Details
For each dependency, CodeStax tracks:
- Current version in your project
- Latest available version
- Whether it’s outdated (visual indicator)
- Known vulnerabilities (CVE count)
- License type
- Package manager source
Risk Scoring
Dependencies are scored using a composite formula based on CVSS score, fix availability, and severity. See CVSS & EPSS Scoring for the full scoring methodology.
Health Metrics
The dependency health dashboard shows:
- Total dependencies — Direct and transitive
- Vulnerable packages — Those with known CVEs
- Outdated packages — Those behind the latest version
- Avg update age — How far behind your dependencies are
- Recommendations — Prioritized list of packages to update