New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Option to update specific sub-dependency in lock file #2628
Comments
This is the feature I am also looking for as I need to deal with the same problem when updating vulnerable indirect dependencies. So far I haven't found a how to do it properly so my workaround for this is to:
This is not an ideal workflow but it works as a workaround and I am looking for guidance or enhancement! |
Hi! |
@rasmus-d Thanks, feel free to get start working on it. |
Add the `--allow-transitive` argument handler to the class `Command` and its `do_update` method in `update.py`. Add logic for updating transitive dependencies in `update.py`. If the specified package is not in `pyproject.toml`, and the '--allow-transitive' flag is used, then try to match the package name with packages in the lock file instead. Ensures transitive dependencies are not written to `pyproject.toml`. Add three tests for `--allow-transitive` flag. Add shell completions for bash, fish, powershell and zshell. Resolves pdm-project#2628 Co-authored-by: Victor Stenmark <67392286+Stenmarken@users.noreply.github.com> Co-authored-by: Ludvig Skare <131673712+lskare@users.noreply.github.com> Co-authored-by: Sebastian Montén <94540990+sebastianmonten@users.noreply.github> Co-authored-by: Dante Astorga Castillo <95686424+dantevi@users.noreply.github.com>
Add the `--allow-transitive` argument handler to the class `Command` and its `do_update` method in `update.py`. Add logic for updating transitive dependencies in `update.py`. If the specified package is not in `pyproject.toml`, and the '--allow-transitive' flag is used, then try to match the package name with packages in the lock file instead. Ensures transitive dependencies are not written to `pyproject.toml`. Add three tests for `--allow-transitive` flag. Add shell completions for bash, fish, powershell and zshell. Resolves pdm-project#2628 Co-authored-by: Victor Stenmark <67392286+Stenmarken@users.noreply.github.com> Co-authored-by: Ludvig Skare <131673712+lskare@users.noreply.github.com> Co-authored-by: Sebastian Montén <94540990+sebastianmonten@users.noreply.github> Co-authored-by: Dante Astorga Castillo <95686424+dantevi@users.noreply.github.com>
…#2689) Add the `--allow-transitive` argument handler to the class `Command` and its `do_update` method in `update.py`. Add logic for updating transitive dependencies in `update.py`. If the specified package is not in `pyproject.toml`, and the '--allow-transitive' flag is used, then try to match the package name with packages in the lock file instead. Ensures transitive dependencies are not written to `pyproject.toml`. Add three tests for `--allow-transitive` flag. Add shell completions for bash, fish, powershell and zshell. Resolves #2628 Co-authored-by: Victor Stenmark <67392286+Stenmarken@users.noreply.github.com> Co-authored-by: Ludvig Skare <131673712+lskare@users.noreply.github.com> Co-authored-by: Sebastian Montén <94540990+sebastianmonten@users.noreply.github> Co-authored-by: Dante Astorga Castillo <95686424+dantevi@users.noreply.github.com> Co-authored-by: Rasmus Danielsson <91320451+rasmus-d@users.noreply.github.com>
…#2689) Add the `--allow-transitive` argument handler to the class `Command` and its `do_update` method in `update.py`. Add logic for updating transitive dependencies in `update.py`. If the specified package is not in `pyproject.toml`, and the '--allow-transitive' flag is used, then try to match the package name with packages in the lock file instead. Ensures transitive dependencies are not written to `pyproject.toml`. Add three tests for `--allow-transitive` flag. Add shell completions for bash, fish, powershell and zshell. Resolves #2628 Co-authored-by: Victor Stenmark <67392286+Stenmarken@users.noreply.github.com> Co-authored-by: Ludvig Skare <131673712+lskare@users.noreply.github.com> Co-authored-by: Sebastian Montén <94540990+sebastianmonten@users.noreply.github> Co-authored-by: Dante Astorga Castillo <95686424+dantevi@users.noreply.github.com> Co-authored-by: Rasmus Danielsson <91320451+rasmus-d@users.noreply.github.com> Signed-off-by: Frost Ming <me@frostming.com>
…#2689) Add the `--allow-transitive` argument handler to the class `Command` and its `do_update` method in `update.py`. Add logic for updating transitive dependencies in `update.py`. If the specified package is not in `pyproject.toml`, and the '--allow-transitive' flag is used, then try to match the package name with packages in the lock file instead. Ensures transitive dependencies are not written to `pyproject.toml`. Add three tests for `--allow-transitive` flag. Add shell completions for bash, fish, powershell and zshell. Resolves #2628 Co-authored-by: Victor Stenmark <67392286+Stenmarken@users.noreply.github.com> Co-authored-by: Ludvig Skare <131673712+lskare@users.noreply.github.com> Co-authored-by: Sebastian Montén <94540990+sebastianmonten@users.noreply.github> Co-authored-by: Dante Astorga Castillo <95686424+dantevi@users.noreply.github.com> Co-authored-by: Rasmus Danielsson <91320451+rasmus-d@users.noreply.github.com> Signed-off-by: Frost Ming <me@frostming.com>
Is your feature/enhancement proposal related to a problem? Please describe.
At work, we use scanning tools to check if there are any known vulnerabilities in our images before we deploy. This is straightforward if the package is defined in the
pyproject.tom
usingpdm update
, but often the offending package is a sub-dependency that's only defined in the lock file.For example, if a package like FastAPI has a vulnerability, I can do
pdm update fastapi
. If Starlette, a dependency of FastAPI, has a vulnerability, this does not work.I know I can do do eager updating on the entire file, but (to my knowledge) I can't limit this to a specific sub-dependency.
Describe the solution you'd like
I'd love a feature similar to what
pdm update
currently does, but which only updates the versions in the lock file.The text was updated successfully, but these errors were encountered: