--dependencies-transitive doesn't list third-party transitive dependencies #12733
Comments
|
@oliverdain this is a known limitation of the dependencies goal going back to its inception in ~2010. Our docs could be better, but this only operates in the repository despite what the words in |
|
I've marked this as answered but left open pending a doc fix at the least. If you're up for doing that or adding a companion feature request issue -that' would be wonderful, but of course beyond the call of duty too. |
|
(Clicked wrong botton, sorry for noise.) Semi-related: I also think the P.S. @oliverdain in your example, you can use |
|
Feature request: #13283 |
|
I tripped over this: we got a vulnerability alert about one of our transitive/indirect dependencies and wanted to work out what code might be affected... and we had to do that manually because there doesn't seem to be a way to have pants tell us this automatically (e.g. Related discussion: https://pantsbuild.slack.com/archives/C046T6T9U/p1668753609863079. In that thread, it was raised that 'synthetic targets' might help make this easier to implement. |
|
Yeah, this is a feature we could relatively easily implement, if you're using lockfiles, since all the data is there. |
This has the `peek` output include the fingerprint of the sources referenced in a target. This is a step towards #8445, by putting more information into `peek`. For instance, with this, one way to get a crude "hash" of a target would be something like: ```shell { pants dependencies --transitive --closed path/to:target | xargs pants peek # these might change behaviour and so need to be included cat pants.toml cat 3rdparty/python/default.lock # or whatever other lock files are relevant } | openssl sha256 ``` This is conservative: the hash can be different without the behaviour of the target changing at all. For instance: - irrelevant changes in `pants.toml`: adjusting comments, unrelated subsystem config (e.g. settings in `[golang]` when `path/to:target` is a Python-only `pex_binary`) - upgrading 3rd party dependencies in the resolve that aren't (transitively) used by `path/to:target`. This relates to #12733: if all transitive 3rd party deps appeared in `pants dependencies --transitive`, and `pants peek` included the right info for them (e.g. version and fingerprints), the `cat 3rdparty/...` could be removed because the `peek` pipe would handle it. - target fields that don't impact execution behaviour, e.g. changing the `skip_black` setting on a `python_source` target, without changing the file contents (this might be _most_ fields on the (transitive) dependencies of a packageable target?) This is also only the hash of the input configuration, rather than a hash of a built artefact. If there's processes that aren't deterministic (e.g. `shell_command(command="date > output.txt", output_files=["output.txt"])` somewhere in the chain), the exact output artefact might be different if built twice, even if the hash hasn't changed. This PR is, in some sense, a partial revival of #8450, although is much simpler, because the JSON-outputting `peek` target already exists, and this doesn't try to solve the full problem.
|
I just found out one of our transitive deps uses GPL, but we only use it for tests. So either we yank it out because danger, or a ENFORCE (via visibility rules) nothing we ship depends on it. |
huonw
changed the title
Describe the bug
I wanted to find all the 3rd party dependencies for some of my code so I ran:
It output:
but some of those dependencies also have dependencies which were not output. For example
hypercorndepends onh2,h11,priority, etc. You can see the full list here: https://github.com/pgjones/hypercorn/blob/master/setup.pyPants version
2.6.0
OS
Linux (not tested on Mac). Debian Bullseye to be specific.
The text was updated successfully, but these errors were encountered: