Codario is a cloud-based service that helps you to stay secure with your open source dependencies.

Are you provide only updates for vulnerable packages?

No, we provide absolutely all available updates that can be applied respecting the restrictions of your project.

However, you can configure Codario project by the way to get only updates for vulnerable packages.

How do you get database of the vulnerabilities?

We analyze public sources for every "package dependency manager".

F.e. for npm - it's

When an update task will be created?

At once when you will provide a "project configs" for a project (of course if there any updates are available).

Please pay attention that Codario always respects restrictions from your manifest file.

For example: if you are using restriction ~1.2.3 for a composer package, the current version of this package is 1.2.34 and available version 1.3.0 — Codario will not suggest this update because your restriction disallows to use versions >=1.3.0.

Manifest file - it's composer.json for composer, package.json for npm, etc.

How ofter Codario will check my project for updates?

Codario checks available updates for a project automatically not often than every hour (the specific interval between checks depends on the time which should be taken to check your projects for updates and the term when found updates were applied last time in your project).

The tasks workflow

All stages where do you see "Failed" badge can get the corresponding stage during processing.


Codario uses special Docker containers to process any actions for projects. Every container has the following limits:

  • 2 GB RAM
  • 30 minutes
  • 1 CPU