https://pantsbuild.org/ logo
Join Slack
Powered by
Any thoughts on populating the `dependencies` of a...
# development
b
Any thoughts on populating the 
dependencies
of a 
python_requirement
from a PEX lockfile? I'm trying to debug where a transitive 3rdparty Python dep come in, but Pants can't help me because it stops at surface-level dependencies
CC @hundreds-father-404 and maybe @happy-kitchen-89482
I might even be able to test this out in an in-repo plugin with dep inference 🤔 .
e
The provenance information is there in the lockfile, you're just looking for better viz tools to see it instead of reading the lock JSON basically?
b
Yes AND specifically I want to use Pants' 
paths
goal to map targets to indirect 3rdparty deps
e
Ok.
b
"E.g. how many docker images are using this pkg, which has a vulnerability"
e
It would be great if we could do this more wholistically and JVM, Go, etc. But one at a time works to get things rolling.
âž• 1
h
Yeah I would love it if paths worked here
b
I might hack this locally tomorrow and report back, if nothing pressing comes up
h
What are the unintended consequences of adding the deps though? You'd have to do it transitively, and create a bunch of synthetic 
python_requirement
, and that might be overkill
And it would pollute the output of 
peek
and 
list
and such
Another way to do this would be for lockfiles to participate explicitly in 
paths
logic
I fear the unintended consequences of putting transitive external stuff in the build graph directly
Open in Slack
PreviousNext
Powered by