-
Notifications
You must be signed in to change notification settings - Fork 302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add ability to emit a lock file #1487
Comments
I'd be interested as well - sbt/sbt#2989 |
Actually a clean implementation of this is probably just a JSON serialization of the Resolution file that is sane enough that humans can read in a code review. If we have |
Are you aware of the already existing option to generate a JSON report, for the $ coursier fetch org.typelevel::cats-core:2.1.0 --json-output-file report.json The resulting file looks like this: {
"conflict_resolution": {},
"dependencies": [
{
"coord": "org.scala-lang:scala-library:2.13.1",
"file": "/home/alexandre/.cache/coursier/v1/https/repo1.maven.org/maven2/org/scala-lang/scala-library/2.13.1/scala-library-2.13.1.jar",
"directDependencies": [],
"dependencies": []
},
{
"coord": "org.typelevel:cats-core_2.13:2.1.0",
"file": "/home/alexandre/.cache/coursier/v1/https/repo1.maven.org/maven2/org/typelevel/cats-core_2.13/2.1.0/cats-core_2.13-2.1.0.jar",
"directDependencies": [
"org.scala-lang:scala-library:2.13.1",
"org.typelevel:cats-kernel_2.13:2.1.0",
"org.typelevel:cats-macros_2.13:2.1.0"
],
"dependencies": [
"org.typelevel:cats-macros_2.13:2.1.0",
"org.typelevel:cats-kernel_2.13:2.1.0",
"org.scala-lang:scala-library:2.13.1"
]
},
{
"coord": "org.typelevel:cats-kernel_2.13:2.1.0",
"file": "/home/alexandre/.cache/coursier/v1/https/repo1.maven.org/maven2/org/typelevel/cats-kernel_2.13/2.1.0/cats-kernel_2.13-2.1.0.jar",
"directDependencies": [
"org.scala-lang:scala-library:2.13.1"
],
"dependencies": [
"org.scala-lang:scala-library:2.13.1"
]
},
{
"coord": "org.typelevel:cats-macros_2.13:2.1.0",
"file": "/home/alexandre/.cache/coursier/v1/https/repo1.maven.org/maven2/org/typelevel/cats-macros_2.13/2.1.0/cats-macros_2.13-2.1.0.jar",
"directDependencies": [
"org.scala-lang:scala-library:2.13.1"
],
"dependencies": [
"org.scala-lang:scala-library:2.13.1"
]
}
],
"version": "0.1.0"
} Could it fit your needs? It was added for pants, and is used by bazel too. |
The current report could be improved though, so that it can be generated from the |
Thanks for the reply. I was not aware of that option. How is fetch different from resolve? If we fetch a set of arguments will it the report also resolve them down to a single version of each module? Can fetch be used to generate a lock file as is the goal of the sbt issue and the motivation for my request? Would you be willing to add http urls and sha256 hash values rather than only having pointers to a file system location? Next question: the file does not look reproducible (e.g. the order of the artifacts doesn’t seem sorted and is different in the directDependencies vs dependencies). Is that accurate? Would you be open to a PR to make that file (more) deterministic so it is more suitable for hashing? |
Note I guess this is basically a duplicate of #1223 and we all seem to have the same use case in mind. |
I haven't though much about how the JSON report could be used as a lock file from sbt… If its format, modulo some improvements, works fine, I guess it could be used for that. From sbt, we would need some logic to then pick the lock file, and rely on it instead of running an actual resolution.
Definitely! |
I think what would be quite ideal is if resolve was able to emit json - similar to cs resolve org.codehaus.groovy:groovy-all:3.0+ --json-output-file /var/tmp/coursier-lock.json
cs fetch --json-input-file /var/tmp/coursier-lock.json |
Actually |
FWIW: Pants uses |
the coursier CLI has a resolve option and
-t
but the output is more useful for humans than tools.Would you be open to a PR to add the ability to emit a JSON lock file?
I imagine it would list all the constraints that went in (all the artifacts + versions), and then list the minDependencies optionally including sha256 hashes of all the artifacts.
This is suitable for checking into a version control for a fully reproducible description of the classpath used to build.
This protects people from mutable changes in repositories (which are possible) causing hard to diagnose issues (not noticing that the resolution changed).
If this sounds like it would be useful, I can see about sending some PRs to implement this.
The text was updated successfully, but these errors were encountered: