Dependency list includes duplicates due to scanning spec files as well as lock-files

[allanlewis]

Select Topic Area

Product Feedback

Body

I use the Poetry package manager for some Python projects in my repository. This uses pyproject.toml to specify dependencies and poetry.lock to define the pinned version of each dependency in the tree.

Where my project specifies a dependency in pyproject.toml, GitHub's dependency list includes that dependency twice: one referencing pyproject.toml and another referencing poetry.lock. For dependency management tools that utilise lock-files, surely it makes sense to only report what's in the lock-file since that describes what actually ends up in the deployed product? Spec files like pyproject.toml might specify version ranges, they don't necessarily define pinned versions, which is what's useful for an SBOM.

What I'd like to see is GitHub ignore files like pyproject.toml for listing dependencies when a lock-file like poetry.lock exists; similarly for e.g. NPM's package.json and package-lock.json. If this can't be the default for some reason, then it should at least be an option.

[spenserblack]

I think it would be nice if the dependency graph introduced some smarter filters -- the search bar isn't enough. I'd love to be able to filter to only dependencies sourced from manifest files or lock files. The simplest way would probably be to filter by dependency file's filename, which I don't think is currently possible.