SPIKE: What are the lock files we intend to support?
Why are we doing this work
With the transition to a lock file only analyzer, it would be good to identify what package managers support already have:
- Build file support only
- Build and lock file support only
- Lock file support only
For package managers who we only support with build files, we'll need to add them to a second iteration of development where we can identify support for lock files only
Time box: 1 day
Tasks
- List package managers with lock file support in some capacity
- List package managers with build file support only
- Create issues for lock file package managers if they do not yet exist.
- Create issues for build file package managers if they can support lock files and if they do not yet have an issue.
Results
Gradle
Document how to lock the dependencies in a graph format with the gradle-dependency-lock-plugin
from the Nebula plugin suite. While it would be great to use the built in task,
it does not provide a graph which is the goal of the parent epic.
Maven
We'll document how to generate the dot graph (re-uses the sbt parsing) with the
built-in dependency:tree task, and analyze those files.
setuptools
We'll document how to generate the dependency graph artifacts using pip-compile and/or
pip --report [FILE] --dry-run --quiet -r [FILE]. For simplicity, we'll support
requirements.txt for pip-compile lock files, and leave the pip report out of scope
for now.
pip
Same as setuptools.
sbt
We'll document how to generate the dependency graph artifacts for a project using the built-in sbt dependencyDot task.