Dependency list includes duplicates due to scanning spec files as well as lock-files #70317
Unanswered
allanlewis
asked this question in
Repositories
Replies: 1 comment
-
I think it would be nice if the dependency graph introduced some smarter filters -- the search bar isn't enough. I'd love to be able to filter to only dependencies sourced from manifest files or lock files. The simplest way would probably be to filter by dependency file's filename, which I don't think is currently possible. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Select Topic Area
Product Feedback
Body
I use the Poetry package manager for some Python projects in my repository. This uses
pyproject.toml
to specify dependencies andpoetry.lock
to define the pinned version of each dependency in the tree.Where my project specifies a dependency in
pyproject.toml
, GitHub's dependency list includes that dependency twice: one referencingpyproject.toml
and another referencingpoetry.lock
. For dependency management tools that utilise lock-files, surely it makes sense to only report what's in the lock-file since that describes what actually ends up in the deployed product? Spec files likepyproject.toml
might specify version ranges, they don't necessarily define pinned versions, which is what's useful for an SBOM.What I'd like to see is GitHub ignore files like
pyproject.toml
for listing dependencies when a lock-file likepoetry.lock
exists; similarly for e.g. NPM'spackage.json
andpackage-lock.json
. If this can't be the default for some reason, then it should at least be an option.Beta Was this translation helpful? Give feedback.
All reactions