broad-processor-92400
11/18/2022, 6:40 AMopenpyxl
, which depends on et-xmlfile
, loaded into pants via a python_requirements
target in path/
. We have code path/foo.py
that imports openpyxl
but et-xmlfile
is never mentioned. Pants clearly understands that foo.py
-> openpyxl
-> et-xmlfile
(e.g. et-xmlfile
ends up in PEX files that involve foo.py
), but this doesn't translate into any of the commands I know for introspection:
1. ./pants peek path#openpyxl
or ./pants peek path/foo.py
don't list path#et-xmlfile
at all
2. ./pants dependees path#et-xmlfile
(with or without --transitive
) only lists the python_requirements
target, not path#openpyxl
or foo.py
3. ./pants dependencies path/foo.py
(with or without --transitive
) only lists path#openpyxl
, nor path#et-xmlfile
This came up because dependabot flagged one of our transitive deps (not this particular example) had a vulnerability, and we wanted to find where that dependency was actually used, which seems like a query should be eminently pants-compatible (would be 2, above)...curved-television-6568
11/18/2022, 12:38 PMhappy-kitchen-89482
11/18/2022, 3:07 PMbroad-processor-92400
11/18/2022, 6:50 PMhappy-kitchen-89482
11/18/2022, 6:51 PMcold-sugar-54376
11/18/2022, 11:21 PMbroad-processor-92400
11/20/2022, 10:42 PMpython_requirements
, so that we get the exact same versions, since poetry_requirements
doesn't seem to read the lock file).
Background:
1. we were/are operating pants and poetry in parallel while we migrate (e.g. we were running formatting etc. via pants while still building artefacts via poetry)
2. we want to be able to do "minimal" updates, e.g. adding or updating specific dependencies without regenerating/updating all dependencies to their latest compatible version (I think https://github.com/pantsbuild/pants/issues/12880 covers this)
3. we want to integrate with automatic dependency checkers like dependabot, and using more widely supported formats is the easy way to do thisbroad-processor-92400
11/21/2022, 6:17 AMcold-sugar-54376
11/23/2022, 8:16 PM