Do we have any tooling in the repo scripts, or in pants itself, that can read a lockfile and check for updates to listed packages? SOmething like

npm outdated

?

Lockfile management is missing a lot of polish. The lockfile itself is really well designed, allowing for many of the quirks of the python ecosystem while still capturing relevant hashes for supply chain security. But the pants UX around updating/querying lockfiles is missing. We can regenerate lockfiles and determine when to invalidate the lockfile, but that's about it. PEX has gained several features to help with updating lockfiles that pants needs to learn to use. As far as something that can find outdated packages, I can imagine pants running an update through PEX without replacing the lockfile just to get the possible updates. That would be kind of like running a fmt goal under lint to see if updates are required. Maybe a lockfile linter would be a great approach to this.

Ha, the

fmt

example is exactly what I was thinking - but my hope is that there would be a way to do it without pulling any data, just via querying. Sometimes generation is slooooowwwww

related: https://github.com/pantsbuild/pants/pull/20838

Another workaround/hack: export a venv and run

path/to/venv/python -m pip list --outdated

in that venv

I'm thinking that we have a lot of outdated lockfiles in the pants repo, as the tools are only updated when someone remembers to do it, at some point - it would be nice to flag those. e.g. the clangformat backend - that isn't enabled by default, so we wouldn't see its out-of-date, other than when someone (e.g. me) goes into a repo or is working on it, and notices its out of date.

I think the docsite generation enables all backends, so we have prior art for that. Also, there's the generate_builtin_lockfiles tool which is sortof related

Re listing outdated things: https://github.com/pantsbuild/pants/discussions/20368