https://pantsbuild.org/ logo
#general
Title
# general
b

broad-processor-92400

11/18/2022, 6:40 AM
Is there a way to have pants tell me about the dependency relationships of transitive dependencies? (i.e. dependencies of our external deps, not packages our code ever imports directly) For example, we depend on
openpyxl
, which depends on
et-xmlfile
, loaded into pants via a
python_requirements
target in
path/
. We have code
path/foo.py
that imports
openpyxl
but
et-xmlfile
is never mentioned. Pants clearly understands that
foo.py
->
openpyxl
->
et-xmlfile
(e.g.
et-xmlfile
ends up in PEX files that involve
foo.py
), but this doesn't translate into any of the commands I know for introspection: 1.
./pants peek path#openpyxl
or
./pants peek path/foo.py
don't list
path#et-xmlfile
at all 2.
./pants dependees path#et-xmlfile
(with or without
--transitive
) only lists the
python_requirements
target, not
path#openpyxl
or
foo.py
3.
./pants dependencies path/foo.py
(with or without
--transitive
) only lists
path#openpyxl
, nor
path#et-xmlfile
This came up because dependabot flagged one of our transitive deps (not this particular example) had a vulnerability, and we wanted to find where that dependency was actually used, which seems like a query should be eminently pants-compatible (would be 2, above)...
c

curved-television-6568

11/18/2022, 12:38 PM
Pants only knows of your direct 3rd party dependencies, the transient ones present in your lockfiles are compiled from that list using pex/pip. Ticket: https://github.com/pantsbuild/pants/issues/13283 touches on this. 🙂
1
h

happy-kitchen-89482

11/18/2022, 3:07 PM
Pants has this data in lockfiles, but doesn’t introspect it (yet). One issue would be that those non-direct reqs don’t have target addresses, so they don’t slot as neatly into existing introspection facilities, but now that we have synthetic targets (h/t @curved-television-6568) this seems like a way forward.
1
b

broad-processor-92400

11/18/2022, 6:50 PM
Thanks both
h

happy-kitchen-89482

11/18/2022, 6:51 PM
So I think this would not be too hard to implement
c

cold-sugar-54376

11/18/2022, 11:21 PM
Does dependabot support looking into pex lockfiles?
b

broad-processor-92400

11/20/2022, 10:42 PM
Not as far as I know. We have a finnicky system where we use poetry to define the deps and then import that into pants (via requirements.txt file and
python_requirements
, so that we get the exact same versions, since
poetry_requirements
doesn't seem to read the lock file). Background: 1. we were/are operating pants and poetry in parallel while we migrate (e.g. we were running formatting etc. via pants while still building artefacts via poetry) 2. we want to be able to do "minimal" updates, e.g. adding or updating specific dependencies without regenerating/updating all dependencies to their latest compatible version (I think https://github.com/pantsbuild/pants/issues/12880 covers this) 3. we want to integrate with automatic dependency checkers like dependabot, and using more widely supported formats is the easy way to do this
c

cold-sugar-54376

11/23/2022, 8:16 PM
yeah, it would be great for CVE issues if we could get notifications about updates to our lockfile without having to maintain a separate poetry lockfile
4 Views