Make pipenv strategy differentiate between direct and transitive deps #1601
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
csasarak
approved these changes
Oct 17, 2025
Comment on lines
+62
to
+64
| PipfileToml | ||
| (pipfilePackageList ["pkgOne"]) | ||
| (pipfilePackageList ["pkgTwo"]) |
There was a problem hiding this comment.
[Optional] We use records positionally a lot in the CLI. It quickly becomes unwieldy and hard to read when it's a record with many fields. If I wrote a function with seven arguments or something you'd probably, correctly, call it out in a review. Personally, I'd like it if we all moved towards being a bit more explicit.
There's even an action HLS has to do it for you.
This particular case looks fine to me if you want to keep it though, or disagree with the idea above.
| addWithEnv env sourcesMap name dep = do | ||
| let pkg = PipPkg name (Text.drop 2 <$> fileDepVersion dep) | ||
| -- Use the Pipfile as the source of truth for which dependencies are direct | ||
| let graphFn = if Map.member name pipfilePackages || Map.member name pipfileDevPackages then direct else deep |
There was a problem hiding this comment.
[nit] It may be more straightforward to just inline this if expression.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR fixes the pipenv strategy to differentiate between direct and transitive dependencies. We are able to make this distinction via static analysis, but generating edges requires the
pipenv graphcommand, and is thus only available as a dynamic strategy. NeitherPipfile.locknorpipenv graphadequately identify which dependences are direct, so I've introduced parsing ofPipfilein order to accurately make this distinction.I also included a fix for some broken links in the Swift docs.
Acceptance criteria
Pipenv correctly differentiates between direct and transitive dependencies.
Testing plan
requestspackage. Confirm that the dependency graph looks correctlangchainas well which itself also depends onrequests. Confirm thatlangchainandrequestsare both reported as direct dependencies.Risks
Metrics
References
Checklist
docs/.docs/README.msand gave consideration to how discoverable or not my documentation is.Changelog.md. If this PR did not mark a release, I added my changes into an## Unreleasedsection at the top..fossa.ymlorfossa-deps.{json.yml}, I updateddocs/references/files/*.schema.jsonAND I have updated example files used byfossa initcommand. You may also need to update these if you have added/removed new dependency type (e.g.pip) or analysis target type (e.g.poetry).docs/references/subcommands/<subcommand>.md.