Re: [elixir-core:11503] Determine why a package is being pulled

Austin Ziegler Fri, 18 Aug 2023 10:34:19 -0700

That did help, thank you, and it's in a git package (but not the one with
the suspicious branch name). There are some possible decorations missing
from mix deps.tree, as I got this, for example:


├── app_identity ~> 1.3 (Hex package)
│   ├── jason ~> 1.0 (Hex package)
│   ├── poison >= 3.0.0 (Hex package)
│   │   └── decimal ~> 2.0 (Hex package)
│   ├── telemetry ~> 0.4 or ~> 1.0 (Hex package)
│   └── tesla ~> 1.0 (Hex package)
│       ├── hackney ~> 1.6 (Hex package)
│       │   ├── certifi ~> 2.9.0 (Hex package)
│       │   ├── idna ~> 6.1.0 (Hex package)
│       │   │   └── unicode_util_compat ~> 0.7.0 (Hex package)
│       │   ├── metrics ~> 1.0.0 (Hex package)
│       │   ├── mimerl ~> 1.1 (Hex package)
│       │   ├── parse_trans 3.3.1 (Hex package)
│       │   ├── ssl_verify_fun ~> 1.1.0 (Hex package)
│       │   └── unicode_util_compat ~> 0.7.0 (Hex package)
│       ├── jason >= 1.0.0 (Hex package)
│       ├── mime ~> 1.0 or ~> 2.0 (Hex package)
│       ├── poison >= 1.0.0 (Hex package)
│       └── telemetry ~> 0.4 or ~> 1.0 (Hex package)

Both tesla and app_identity declare poison as optional (and poison declares
decimal as optional), but this information isn’t in the decorations. IMO,
either "Hex package, optional" or "optional Hex package" would be ideal
there, and I can look at adding a PR for that.

On Fri, Aug 18, 2023 at 1:21 PM José Valim <jose.va...@dashbit.co> wrote:

> mix deps.tree could help you here. My suspicion is either a path or a git
> dependency, as their deps are not in the lock file. A branch called
> "allow-poison-5" is highly suspicious.
>
> We could also introduce a mix deps.why or a mix deps.tree --filter option
> to help narrow down those cases. Proposals and pull requests are welcome!
>
>
>
> On Fri, Aug 18, 2023 at 7:04 PM Austin Ziegler <halosta...@gmail.com>
> wrote:
>
>> It would be useful to have a `mix deps.why` or `mix hex.why` task similar
>> to `yarn why <package>` or `pnpm why <package>`, because I’m trying to
>> figure out why `mix deps.get` is retrieving `poison`, when it is not in any
>> of my `mix.exs` files (I am using an umbrella application).
>>
>> ```console
>> $ ag :poison $(fd mix.exs)
>> ```
>>
>> Yet it is in my `mix.lock`:
>>
>> ```console
>> $ ag '"poison":' mix.lock -c
>> 1
>> $ mix deps.unlock poison
>> Unlocked deps:
>> * poison
>> $ ag '"poison":' mix.lock -c
>> $ mix deps.get
>> Resolving Hex dependencies...
>> Resolution completed in 0.67s
>> Unchanged:
>>   [lots of entries]
>> New:
>>   poison 5.0.0
>> $ ag '"poison":' mix.lock -c
>> 1
>> ```
>>
>> Poison is otherwise mentioned in my `mix.lock`, but *only* because it is
>> an optional dependency for other dependencies:
>>
>> ```
>> $ ag poison mix.lock
>> mix.lock
>> 7:  "app_identity": {:hex, :app_identity, "1.3.1",
>> "6bf4970a433d7504a091b9ea57e6af4d7d23db76e7cc1577a6680e05823be7b2", [:mix],
>> [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:plug,
>> "~> 1.0", [hex: :plug, repo: "hexpm", optional: true]}, {:poison, ">=
>> 3.0.0", [hex: :poison, repo: "hexpm", optional: true]}, {:telemetry, "~>
>> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: true]}, {:tesla,
>> "~> 1.0", [hex: :tesla, repo: "hexpm", optional: true]}], "hexpm",
>> "70b92d03fdf1140e26a71bad5c042d9474686999457deecaad7b30f0a794b918"},
>> 45:  "gen_queue_opq": {:git, "
>> https://github.com/KineticCafe/gen_queue_opq.git";,
>> "a0552879e3e17441c33e52e8688981b5c34f0375", [branch: "allow-poison-5"]},
>> 77:  "poison": {:hex, :poison, "5.0.0",
>> "d2b54589ab4157bbb82ec2050757779bfed724463a544b6e20d79855a9e43b24", [:mix],
>> [{:decimal, "~> 2.0", [hex: :decimal, repo: "hexpm", optional: true]}],
>> "hexpm",
>> "11dc6117c501b80c62a7594f941d043982a1bd05a1184280c0d9166eb4d8d3fc"},
>> 87:  "tesla": {:hex, :tesla, "1.7.0",
>> "a62dda2f80d4f8a925eb7b8c5b78c461e0eb996672719fe1a63b26321a5f8b4e", [:mix],
>> [{:castore, "~> 0.1 or ~> 1.0", [hex: :castore, repo: "hexpm", optional:
>> true]}, {:exjsx, ">= 3.0.0", [hex: :exjsx, repo: "hexpm", optional: true]},
>> {:finch, "~> 0.13", [hex: :finch, repo: "hexpm", optional: true]}, {:fuse,
>> "~> 2.4", [hex: :fuse, repo: "hexpm", optional: true]}, {:gun, "~> 1.3",
>> [hex: :gun, repo: "hexpm", optional: true]}, {:hackney, "~> 1.6", [hex:
>> :hackney, repo: "hexpm", optional: true]}, {:ibrowse, "4.4.0", [hex:
>> :ibrowse, repo: "hexpm", optional: true]}, {:jason, ">= 1.0.0", [hex:
>> :jason, repo: "hexpm", optional: true]}, {:mime, "~> 1.0 or ~> 2.0", [hex:
>> :mime, repo: "hexpm", optional: false]}, {:mint, "~> 1.0", [hex: :mint,
>> repo: "hexpm", optional: true]}, {:msgpax, "~> 2.3", [hex: :msgpax, repo:
>> "hexpm", optional: true]}, {:poison, ">= 1.0.0", [hex: :poison, repo:
>> "hexpm", optional: true]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex:
>> :telemetry, repo: "hexpm", optional: true]}], "hexpm",
>> "2e64f01ebfdb026209b47bc651a0e65203fcff4ae79c11efb73c4852b00dc313"},
>> ```
>>
>> In short, I don’t know why `poison` is being added back, and it would be
>> nice if there was an equivalent to `pnpm why <dependency>`. I don’t know
>> enough about how dependency resolution currently works to work on a PR, but
>> I think that this would be of value.
>>
>> -a
>> --
>> Austin Ziegler • halosta...@gmail.com • aus...@halostatue.ca
>> http://www.halostatue.ca/ • http://twitter.com/halostatue
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "elixir-lang-core" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to elixir-lang-core+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/elixir-lang-core/CAJ4ekQsrfEaOWz0FBO%2BdSPD-m7AzrLWhMbGC-r0g9%2BOJXp%3DHTg%40mail.gmail.com
>> <https://groups.google.com/d/msgid/elixir-lang-core/CAJ4ekQsrfEaOWz0FBO%2BdSPD-m7AzrLWhMbGC-r0g9%2BOJXp%3DHTg%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
> --
> You received this message because you are subscribed to the Google Groups
> "elixir-lang-core" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to elixir-lang-core+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/elixir-lang-core/CAGnRm4JOY936%3DBHRQnSzVMMsjZpC2V175-WKTgNMD-oDLaSbdA%40mail.gmail.com
> <https://groups.google.com/d/msgid/elixir-lang-core/CAGnRm4JOY936%3DBHRQnSzVMMsjZpC2V175-WKTgNMD-oDLaSbdA%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>


-- 
Austin Ziegler • halosta...@gmail.com • aus...@halostatue.ca
http://www.halostatue.ca/ • http://twitter.com/halostatue

-- 
You received this message because you are subscribed to the Google Groups 
"elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to elixir-lang-core+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/elixir-lang-core/CAJ4ekQvZEGRzhKyWnPDPSWzsdW8pLpWLn1c7Lxo%3D%2BBYTEfwa5w%40mail.gmail.com.

Re: [elixir-core:11503] Determine why a package is being pulled

Reply via email to