Dependency Management
Supported Ecosystems
CodeStax supports scanning dependencies across 9 package ecosystems:
| Ecosystem | Manifest Files | Lock Files |
|---|---|---|
| npm | package.json | package-lock.json, yarn.lock |
| Python (pip) | requirements.txt | — |
| Python (Pipenv) | Pipfile | Pipfile.lock |
| Python (Poetry) | pyproject.toml | poetry.lock |
| Maven | pom.xml | — |
| Gradle | build.gradle | — |
| Go | go.mod | go.sum |
| Rust | Cargo.toml | Cargo.lock |
| Ruby | Gemfile | Gemfile.lock |
| PHP | composer.json | composer.lock |
| NuGet | *.csproj | packages.config |
Dependency Details
For each dependency, CodeStax tracks:
- Current version in your project
- Latest available version
- Whether it’s outdated (visual indicator)
- Known vulnerabilities (CVE count)
- License type
- Package manager source
Risk Scoring
Dependencies are scored using a composite formula:
| Factor | Weight | How It’s Calculated |
|---|---|---|
| CVSS Score | 40% | Highest CVSS of any CVE in the package |
| Fix Availability | 30% | Higher risk if no patched version exists |
| Severity Weight | 30% | Critical=1.0, High=0.75, Medium=0.5, Low=0.25 |
Risk Score = (CVSS × 0.4) + (Fix Factor × 0.3) + (Severity × 0.3) × 100
Health Metrics
The dependency health dashboard shows:
- Total dependencies — Direct and transitive
- Vulnerable packages — Those with known CVEs
- Outdated packages — Those behind the latest version
- Avg update age — How far behind your dependencies are
- Recommendations — Prioritized list of packages to update