Determine why a package is being pulled
55 views
Skip to first unread message
Austin Ziegler
Aug 18, 2023, 1:04:06 PM8/18/23
to elixir-l...@googlegroups.com
It would be useful to have a `mix deps.why` or `mix hex.why` task similar to `yarn why <package>` or `pnpm why <package>`, because I’m trying to figure out why `mix deps.get` is retrieving `poison`, when it is not in any of my `mix.exs` files (I am using an umbrella application).
```console
$ ag :poison $(fd mix.exs)
```
Yet it is in my `mix.lock`:
```console
$ ag '"poison":' mix.lock -c
1
$ mix deps.unlock poison
Unlocked deps:
* poison
$ ag '"poison":' mix.lock -c
$ mix deps.get
Resolving Hex dependencies...
Resolution completed in 0.67s
Unchanged:
[lots of entries]
New:
poison 5.0.0
$ ag '"poison":' mix.lock -c
1
```
Poison is otherwise mentioned in my `mix.lock`, but *only* because it is an optional dependency for other dependencies:
```
$ ag poison mix.lock
mix.lock
7: "app_identity": {:hex, :app_identity, "1.3.1", "6bf4970a433d7504a091b9ea57e6af4d7d23db76e7cc1577a6680e05823be7b2", [:mix], [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:plug, "~> 1.0", [hex: :plug, repo: "hexpm", optional: true]}, {:poison, ">= 3.0.0", [hex: :poison, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: true]}, {:tesla, "~> 1.0", [hex: :tesla, repo: "hexpm", optional: true]}], "hexpm", "70b92d03fdf1140e26a71bad5c042d9474686999457deecaad7b30f0a794b918"},
45: "gen_queue_opq": {:git, "https://github.com/KineticCafe/gen_queue_opq.git", "a0552879e3e17441c33e52e8688981b5c34f0375", [branch: "allow-poison-5"]},
77: "poison": {:hex, :poison, "5.0.0", "d2b54589ab4157bbb82ec2050757779bfed724463a544b6e20d79855a9e43b24", [:mix], [{:decimal, "~> 2.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm", "11dc6117c501b80c62a7594f941d043982a1bd05a1184280c0d9166eb4d8d3fc"},
87: "tesla": {:hex, :tesla, "1.7.0", "a62dda2f80d4f8a925eb7b8c5b78c461e0eb996672719fe1a63b26321a5f8b4e", [:mix], [{:castore, "~> 0.1 or ~> 1.0", [hex: :castore, repo: "hexpm", optional: true]}, {:exjsx, ">= 3.0.0", [hex: :exjsx, repo: "hexpm", optional: true]}, {:finch, "~> 0.13", [hex: :finch, repo: "hexpm", optional: true]}, {:fuse, "~> 2.4", [hex: :fuse, repo: "hexpm", optional: true]}, {:gun, "~> 1.3", [hex: :gun, repo: "hexpm", optional: true]}, {:hackney, "~> 1.6", [hex: :hackney, repo: "hexpm", optional: true]}, {:ibrowse, "4.4.0", [hex: :ibrowse, repo: "hexpm", optional: true]}, {:jason, ">= 1.0.0", [hex: :jason, repo: "hexpm", optional: true]}, {:mime, "~> 1.0 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:mint, "~> 1.0", [hex: :mint, repo: "hexpm", optional: true]}, {:msgpax, "~> 2.3", [hex: :msgpax, repo: "hexpm", optional: true]}, {:poison, ">= 1.0.0", [hex: :poison, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: true]}], "hexpm", "2e64f01ebfdb026209b47bc651a0e65203fcff4ae79c11efb73c4852b00dc313"},
```
In short, I don’t know why `poison` is being added back, and it would be nice if there was an equivalent to `pnpm why <dependency>`. I don’t know enough about how dependency resolution currently works to work on a PR, but I think that this would be of value.
```console
$ ag :poison $(fd mix.exs)
```
Yet it is in my `mix.lock`:
```console
$ ag '"poison":' mix.lock -c
1
$ mix deps.unlock poison
Unlocked deps:
* poison
$ ag '"poison":' mix.lock -c
$ mix deps.get
Resolving Hex dependencies...
Resolution completed in 0.67s
Unchanged:
[lots of entries]
New:
poison 5.0.0
$ ag '"poison":' mix.lock -c
1
```
Poison is otherwise mentioned in my `mix.lock`, but *only* because it is an optional dependency for other dependencies:
```
$ ag poison mix.lock
mix.lock
7: "app_identity": {:hex, :app_identity, "1.3.1", "6bf4970a433d7504a091b9ea57e6af4d7d23db76e7cc1577a6680e05823be7b2", [:mix], [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:plug, "~> 1.0", [hex: :plug, repo: "hexpm", optional: true]}, {:poison, ">= 3.0.0", [hex: :poison, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: true]}, {:tesla, "~> 1.0", [hex: :tesla, repo: "hexpm", optional: true]}], "hexpm", "70b92d03fdf1140e26a71bad5c042d9474686999457deecaad7b30f0a794b918"},
45: "gen_queue_opq": {:git, "https://github.com/KineticCafe/gen_queue_opq.git", "a0552879e3e17441c33e52e8688981b5c34f0375", [branch: "allow-poison-5"]},
77: "poison": {:hex, :poison, "5.0.0", "d2b54589ab4157bbb82ec2050757779bfed724463a544b6e20d79855a9e43b24", [:mix], [{:decimal, "~> 2.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm", "11dc6117c501b80c62a7594f941d043982a1bd05a1184280c0d9166eb4d8d3fc"},
87: "tesla": {:hex, :tesla, "1.7.0", "a62dda2f80d4f8a925eb7b8c5b78c461e0eb996672719fe1a63b26321a5f8b4e", [:mix], [{:castore, "~> 0.1 or ~> 1.0", [hex: :castore, repo: "hexpm", optional: true]}, {:exjsx, ">= 3.0.0", [hex: :exjsx, repo: "hexpm", optional: true]}, {:finch, "~> 0.13", [hex: :finch, repo: "hexpm", optional: true]}, {:fuse, "~> 2.4", [hex: :fuse, repo: "hexpm", optional: true]}, {:gun, "~> 1.3", [hex: :gun, repo: "hexpm", optional: true]}, {:hackney, "~> 1.6", [hex: :hackney, repo: "hexpm", optional: true]}, {:ibrowse, "4.4.0", [hex: :ibrowse, repo: "hexpm", optional: true]}, {:jason, ">= 1.0.0", [hex: :jason, repo: "hexpm", optional: true]}, {:mime, "~> 1.0 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:mint, "~> 1.0", [hex: :mint, repo: "hexpm", optional: true]}, {:msgpax, "~> 2.3", [hex: :msgpax, repo: "hexpm", optional: true]}, {:poison, ">= 1.0.0", [hex: :poison, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: true]}], "hexpm", "2e64f01ebfdb026209b47bc651a0e65203fcff4ae79c11efb73c4852b00dc313"},
```
In short, I don’t know why `poison` is being added back, and it would be nice if there was an equivalent to `pnpm why <dependency>`. I don’t know enough about how dependency resolution currently works to work on a PR, but I think that this would be of value.
-a
-- Austin Ziegler • halos...@gmail.com • aus...@halostatue.ca
http://www.halostatue.ca/ • http://twitter.com/halostatue
http://www.halostatue.ca/ • http://twitter.com/halostatue
José Valim
Aug 18, 2023, 1:21:55 PM8/18/23
to elixir-l...@googlegroups.com
mix deps.tree could help you here. My suspicion is either a path or a git dependency, as their deps are not in the lock file. A branch called "allow-poison-5" is highly suspicious.
We could also introduce a mix deps.why or a mix deps.tree --filter option to help narrow down those cases. Proposals and pull requests are welcome!
--
You received this message because you are subscribed to the Google Groups "elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elixir-lang-co...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/CAJ4ekQsrfEaOWz0FBO%2BdSPD-m7AzrLWhMbGC-r0g9%2BOJXp%3DHTg%40mail.gmail.com.
Austin Ziegler
Aug 18, 2023, 1:34:15 PM8/18/23
to elixir-l...@googlegroups.com
That did help, thank you, and it's in a git package (but not the one with the suspicious branch name). There are some possible decorations missing from mix deps.tree, as I got this, for example:
├── app_identity ~> 1.3 (Hex package)
│ ├── jason ~> 1.0 (Hex package)
│ ├── poison >= 3.0.0 (Hex package)
│ │ └── decimal ~> 2.0 (Hex package)
│ ├── telemetry ~> 0.4 or ~> 1.0 (Hex package)
│ └── tesla ~> 1.0 (Hex package)
│ ├── hackney ~> 1.6 (Hex package)
│ │ ├── certifi ~> 2.9.0 (Hex package)
│ │ ├── idna ~> 6.1.0 (Hex package)
│ │ │ └── unicode_util_compat ~> 0.7.0 (Hex package)
│ │ ├── metrics ~> 1.0.0 (Hex package)
│ │ ├── mimerl ~> 1.1 (Hex package)
│ │ ├── parse_trans 3.3.1 (Hex package)
│ │ ├── ssl_verify_fun ~> 1.1.0 (Hex package)
│ │ └── unicode_util_compat ~> 0.7.0 (Hex package)
│ ├── jason >= 1.0.0 (Hex package)
│ ├── mime ~> 1.0 or ~> 2.0 (Hex package)
│ ├── poison >= 1.0.0 (Hex package)
│ └── telemetry ~> 0.4 or ~> 1.0 (Hex package)
│ ├── jason ~> 1.0 (Hex package)
│ ├── poison >= 3.0.0 (Hex package)
│ │ └── decimal ~> 2.0 (Hex package)
│ ├── telemetry ~> 0.4 or ~> 1.0 (Hex package)
│ └── tesla ~> 1.0 (Hex package)
│ ├── hackney ~> 1.6 (Hex package)
│ │ ├── certifi ~> 2.9.0 (Hex package)
│ │ ├── idna ~> 6.1.0 (Hex package)
│ │ │ └── unicode_util_compat ~> 0.7.0 (Hex package)
│ │ ├── metrics ~> 1.0.0 (Hex package)
│ │ ├── mimerl ~> 1.1 (Hex package)
│ │ ├── parse_trans 3.3.1 (Hex package)
│ │ ├── ssl_verify_fun ~> 1.1.0 (Hex package)
│ │ └── unicode_util_compat ~> 0.7.0 (Hex package)
│ ├── jason >= 1.0.0 (Hex package)
│ ├── mime ~> 1.0 or ~> 2.0 (Hex package)
│ ├── poison >= 1.0.0 (Hex package)
│ └── telemetry ~> 0.4 or ~> 1.0 (Hex package)
Both tesla and app_identity declare poison as optional (and poison declares decimal as optional), but this information isn’t in the decorations. IMO, either "Hex package, optional" or "optional Hex package" would be ideal there, and I can look at adding a PR for that.
To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/CAGnRm4JOY936%3DBHRQnSzVMMsjZpC2V175-WKTgNMD-oDLaSbdA%40mail.gmail.com.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages