dpndncY

Software Composition Analysis across 17 ecosystems.

Resolve direct + transitive dependencies, correlate against OSV / NVD / GHSA, enrich with the full exploit-signal stack.

Executable docs ship with the install
The full reference for this topic — configuration files, code samples, CLI flags, API endpoints — ships inside every dpndncY installation so it always matches your installed version. This public-preview page lists what the in-product docs cover.

In the in-product docs

  • Supported ecosystems (npm, PyPI, Maven, NuGet, Cargo, Go, RubyGems, Composer, Pub, CRAN, Conda, CPAN, OPAM, CocoaPods, SwiftPM, PEAR, Bazel)
  • Lockfile-first resolution semantics
  • Transitive depth and pruning rules
  • Per-finding signal stack reference
  • JS/TS reachability — how it works
  • Output formats (SARIF / CycloneDX / SPDX / JSON / PDF)