Add an Embedded dependency property#17
Add an Embedded dependency property#17ret2libc wants to merge 2 commits intoRedHatProductSecurity:mainfrom
Conversation
| version := dep.Version | ||
|
|
||
| inst, _ := purl.FromString(fmt.Sprintf("pkg:%s/%s@%s", deplist.GetLanguageStr(dep.DepType), dep.Path, version)) | ||
| fmt.Println(inst) |
There was a problem hiding this comment.
Perhaps instead of changing the output format for embedded dependencies we should add a command flag which indicates if we want embedded dependencies in the output of not? I think it would avoid the need to have special code in clients which for interrupting the output.
There was a problem hiding this comment.
@jasinner I could add a flag -modes which accepts deps, bundled, or deps,bundled and prints dependencies based on the mode. However, for the case where you print both "regular dependencies" and bundled code you do need anyway a way to differentiate them, don't you? Opinions @jasinner ? @sfowl was suggesting to have a JSON output instead.
Do we have clients that use the output mode of deplist?
There was a problem hiding this comment.
We are planning on using deplist in component-registry. Although the integration is not done yet.
I think for component-registry it would be nice to have json output and split deps and bundled into 2 groups.
|
@ret2libc Let's sync up on this offline. I'll put this in draft state for now. |
When possible differentiate between runtime dependencies and bundled code. By bundled code we can refer to copy-pasted code, vendored code (e.g. github, node_modules), copy-pasted code, webpacked, etc.
| switch needle { | ||
| case | ||
| "node_modules", | ||
| "vendor", |
There was a problem hiding this comment.
Hmm, this could be dangerous, go list traverses the go pkg graph to identify what packages are used by the code in the provided directory. I think we filtered out vendor/ because it's possible for code to be stored there that is not actually used by code in the rest of the repo, i.e. it does not make it into the built binaries. Two causes I think that can lead to this are an out-of-sync vendor dir or that vendor dir is populated by the go module graph, not the go pkg graph, which can be different.
EDIT: By default go list also does not report test deps, however they will appear in vendor/
3 participants
When possible (right now only for NodeJS) differentiate between actual
dependencies and embedded code that is actually included in the source
files.