Codario is a cloud-based service that helps you to use open source in a secure way by monitoring your projects' dependencies for updates.

Do you provide only updates for vulnerable packages?

No, we provide all available updates that can be applied to your project by respecting the given restrictions.

However, you can configure projects on Codario to get only updates for vulnerable packages.

How do you get notice of updates and vulnerabilities?

We analyze public sources for every "package dependency manager" (for example, for npm).

When will an update task be created?

Whenever one or multiple updates of your project are available.

Please pay attention that Codario always respects restrictions from your manifest file (for example, composer.json for composer, package.json for npm).

For example: if you are using restriction ~1.2.3 for a composer package, Codario would suggest the update to version 1.2.34 and but not to version 1.3.0, because your restriction disallows to use versions >=1.3.0.

How often will Codario check for updates of my project dependencies?

Codario checks available updates for a project automatically not often than every hour (the specific interval between checks depends on the time which should be taken to check your projects for updates and the term when found updates were applied last time in your project).

The tasks workflow

All stages where do you see "Failed" badge can get the corresponding stage during processing.


Codario uses special Docker containers to process any actions for projects. Every container has the following limits:

  • 2 GB RAM
  • 30 minutes
  • 1 CPU