Is there a way to have pants tell me about the dependency relationships of transitive dependencies? (i.e. dependencies of our external deps, not packages our code ever imports directly) For example, we depend on

openpyxl

, which depends on

et-xmlfile

, loaded into pants via a

python_requirements

target in

path/

. We have code

path/foo.py

that imports

openpyxl

but

et-xmlfile

is never mentioned. Pants clearly understands that

foo.py

->

openpyxl

->

et-xmlfile

(e.g.

et-xmlfile

ends up in PEX files that involve

foo.py

), but this doesn't translate into any of the commands I know for introspection: 1.

./pants peek path#openpyxl

or

./pants peek path/foo.py

don't list

path#et-xmlfile

at all 2.

./pants dependees path#et-xmlfile

(with or without

--transitive

) only lists the

python_requirements

target, not

path#openpyxl

or

foo.py

3.

./pants dependencies path/foo.py

(with or without

--transitive

) only lists

path#openpyxl

, nor

path#et-xmlfile

This came up because dependabot flagged one of our transitive deps (not this particular example) had a vulnerability, and we wanted to find where that dependency was actually used, which seems like a query should be eminently pants-compatible (would be 2, above)...

Pants only knows of your direct 3rd party dependencies, the transient ones present in your lockfiles are compiled from that list using pex/pip. Ticket: https://github.com/pantsbuild/pants/issues/13283 touches on this. 🙂

Pants has this data in lockfiles, but doesn’t introspect it (yet). One issue would be that those non-direct reqs don’t have target addresses, so they don’t slot as neatly into existing introspection facilities, but now that we have synthetic targets (h/t @curved-television-6568) this seems like a way forward.

Thanks both

So I think this would not be too hard to implement

Does dependabot support looking into pex lockfiles?

Not as far as I know. We have a finnicky system where we use poetry to define the deps and then import that into pants (via requirements.txt file and

python_requirements

, so that we get the exact same versions, since

poetry_requirements

doesn't seem to read the lock file). Background: 1. we were/are operating pants and poetry in parallel while we migrate (e.g. we were running formatting etc. via pants while still building artefacts via poetry) 2. we want to be able to do "minimal" updates, e.g. adding or updating specific dependencies without regenerating/updating all dependencies to their latest compatible version (I think https://github.com/pantsbuild/pants/issues/12880 covers this) 3. we want to integrate with automatic dependency checkers like dependabot, and using more widely supported formats is the easy way to do this

yeah, it would be great for CVE issues if we could get notifications about updates to our lockfile without having to maintain a separate poetry lockfile