Nimble Analysis

When developing in nim, nimble is used to manage dependencies.

2 min readUpdated Jul 9, 2026

Overview

When developing in nim, nimble is used to manage dependencies.

StrategyDirect DepsTransitive DepsEdgesClassifies Dev DependenciesContainer Scanning
nimble.lock and nimble dump
nimble.lock⚠️

Project Discovery

Find a file named nimble.lock.

Analysis

  1. Parse nimble.lock to identify dependencies and edges among them.
  2. Perform nimble dump --json to identify direct dependencies.

Limitation:

  • Dependencies downloaded from mercurial are not reported.
  • When nimble dump --json fails, any dependencies without incoming edge is considered to be a direct dependency

Example

  1. Execute nimble init to create a new project or create nim.nimble manually:

Example nim.nimble:

Nim
# Package version       = "0.1.0"author        = "User"description   = "A new awesome nimble package"license       = "MIT"srcDir        = "src"installExt    = @["nim"]bin           = @["nim"]  # Dependencies requires "nim >= 1.6.0"requires "jester >= 0.4.1 & < 0.5.0"
  1. Execute nimble lock to install and pin dependencies - this will create (or modify) the nimble.lock file.
  2. Execute fossa analyze -o on the project to print analyzed dependency graphing (this will not upload any analysis to any endpoint)

Note

If you are using an older version of Nim, you may need to:

  1. Run choosenim 1.6.0
  2. Run nimble install https://github.com/nim-lang/nimble@\#head (install the latest nimble, or any version with lock file support)

FAQ

How do I only perform analysis for the nimble?

You can explicitly specify an analysis target in .fossa.yml file. The example below will exclude all analysis targets except for the composer.

YAML
# .fossa.yml  version: 3targets:  only:    - type: nimble
© 2026 FOSSA, Inc.support@fossa.com