https://pantsbuild.org/ logo
#development
Title
# development
b

bitter-ability-32190

07/28/2022, 1:59 PM
Any thoughts on populating the
dependencies
of a
python_requirement
from a PEX lockfile? I'm trying to debug where a transitive 3rdparty Python dep come in, but Pants can't help me because it stops at surface-level dependencies
CC @hundreds-father-404 and maybe @happy-kitchen-89482
I might even be able to test this out in an in-repo plugin with dep inference 🤔 .
e

enough-analyst-54434

07/28/2022, 2:36 PM
The provenance information is there in the lockfile, you're just looking for better viz tools to see it instead of reading the lock JSON basically?
b

bitter-ability-32190

07/28/2022, 2:37 PM
Yes AND specifically I want to use Pants'
paths
goal to map targets to indirect 3rdparty deps
e

enough-analyst-54434

07/28/2022, 2:38 PM
Ok.
b

bitter-ability-32190

07/28/2022, 2:38 PM
"E.g. how many docker images are using this pkg, which has a vulnerability"
e

enough-analyst-54434

07/28/2022, 2:39 PM
It would be great if we could do this more wholistically and JVM, Go, etc. But one at a time works to get things rolling.
1
h

happy-kitchen-89482

07/28/2022, 4:46 PM
Yeah I would love it if paths worked here
b

bitter-ability-32190

07/28/2022, 4:47 PM
I might hack this locally tomorrow and report back, if nothing pressing comes up
h

happy-kitchen-89482

07/28/2022, 4:47 PM
What are the unintended consequences of adding the deps though? You'd have to do it transitively, and create a bunch of synthetic
python_requirement
, and that might be overkill
And it would pollute the output of
peek
and
list
and such
Another way to do this would be for lockfiles to participate explicitly in
paths
logic
I fear the unintended consequences of putting transitive external stuff in the build graph directly