Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Distinguish between normal and dev dependencies. #332

Closed
michaelkedar opened this issue Apr 4, 2023 · 4 comments
Closed

Distinguish between normal and dev dependencies. #332

michaelkedar opened this issue Apr 4, 2023 · 4 comments
Assignees
@cuixq
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@michaelkedar
Copy link
Member

There is no current way to identify whether a vulnerable dependency only affects the development environment e.g. whether it comes from devDependencies or dependencies in package.json.

We should add a field to the output to present this information, if we can extract it.
@michaelkedar michaelkedar added the enhancement New feature or request label Apr 4, 2023
@aniruth37
Copy link

I tried adding a column called DevDependency to the output table. Would the below output resolve this issue?

image

@another-rex
Copy link
Collaborator

We are thinking of placing the devDependencies in a separate table under the normal dependencies.

So if we identify any dep dependencies, we will print two tables, with the first table containing only main deps, and a second table containing dev deps.

@G-Rath
Copy link
Collaborator

G-Rath commented Jun 15, 2023

@another-rex probably better to have support for marking "groups" that packages belong to, to support arbitrary groupings and have the default of no group take priority (since that is typically what are considered production dependencies); then in your output you just print-by-group and naturally sort "no group" to the top

@oliverchang oliverchang added the good first issue Good for newcomers label Sep 21, 2023
@oliverchang
Copy link
Collaborator

@cuixq This might be an interesting starter project to tackle.

@cuixq cuixq self-assigned this Sep 25, 2023
@dijitali dijitali mentioned this issue Nov 8, 2023
Closed
This was referenced Nov 13, 2023
Open
Open
@cuixq cuixq mentioned this issue Nov 15, 2023
Merged
cuixq added a commit that referenced this issue Dec 11, 2023
@cuixq @josieang
@G-Rath @renovate-bot
scan and report dependency groups of vulnerabilities (#655)
64f5c2d 
Issue #332

Non-default dependency groups are recorded in strings as per eco-system:
 - **Composer:** development dependencies in `packages-dev`
 - **Conan:** dependencies in `build-requires` and `python-requires`
 - **Maven:** `<scope/>` in `<dependency/>`
 - **npm:** `dev` and `optional` dependencies
 - **pipenv:** development dependencies in `develop`
 - **pnpm:** development dependencies with `dev` as true
 - **Poetry:** optional dependencies with `optional = true`
 - **Pubspec:** development dependencies marked with `dev`
- **requirements.txt:** group of a dependency is the file name without
the extension

Reporters:
- **table:** non-default groups are appended to the end of package name,
for example: `abc (development)`
 - **json:** non-default group information in `dependencyGroups`

---------

Co-authored-by: josieang <[email protected]>
Co-authored-by: Gareth Jones <[email protected]>
Co-authored-by: Mend Renovate <[email protected]>
@seelder seelder mentioned this issue Dec 14, 2023
Closed
@cuixq cuixq closed this as completed Jan 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cuixq cuixq

Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@oliverchang @G-Rath @michaelkedar @aniruth37 @cuixq @another-rex