Dependency updates
The Updates page: review package updates by severity, catch vulnerable dependencies, and verify upgrades after you apply them.
The Updates page (in the sidebar under Manage) is where the supply-chain half of the scan becomes a work surface. The scan parses your lockfiles and checks each package against its registry; this page is where you review what it found and work through the upgrades.
It needs a linked project folder. If the project has no source folder linked, the page tells you so; link one in Project Settings and scan again.
What it shows
- Security updates first. Packages with known vulnerabilities get a banner above everything else. These are the ones that also raise alerts and can create issues.
- Everything else by size. Regular updates are grouped major → minor → patch, with filter pills to focus on one group. Majors are called out because they’re the ones that can break you; patches are usually safe to batch.
- Stat cards summarizing how much of your dependency surface is behind.
- Per-package detail. Open any row for the package’s dossier: current vs available version and what the update involves.
- Copy all exports the update list as text you can paste into a ticket or hand to your coding agent.
A critical update also badges the Updates entry in the sidebar, so you don’t need the page open to know something needs attention.
Ecosystem coverage
The updates report covers the lockfiles the scan parses: npm, pip, composer, cargo, go, ruby, plus Drupal and WordPress projects. Registry lookups send package names and versions only, never your source. See Privacy & data.
Verifying an upgrade
Updates you apply don’t just vanish from the list on faith. After you upgrade and re-scan, the page’s pending-verification section tracks the packages you moved until the next report confirms the new version is what the lockfile actually resolves. The history section keeps a record of past refreshes, so “what did we upgrade last month” has an answer.
How this relates to Issues
A vulnerable dependency is both an update (here) and a finding (on the Issues page, in the Dependencies category, where it affects your score). The Updates page is the maintenance view: everything upgradeable, not just the scored problems. Routine version drift stays out of your score; known vulnerabilities don’t.