Option to update specific sub-dependency in lock file #2628

Vinno97 · 2024-02-09T12:26:46Z

Is your feature/enhancement proposal related to a problem? Please describe.

At work, we use scanning tools to check if there are any known vulnerabilities in our images before we deploy. This is straightforward if the package is defined in the pyproject.tom using pdm update, but often the offending package is a sub-dependency that's only defined in the lock file.

For example, if a package like FastAPI has a vulnerability, I can do pdm update fastapi. If Starlette, a dependency of FastAPI, has a vulnerability, this does not work.

$ pdm update starlette                                                   
[ProjectError]: starlette does not exist in default dependencies.

I know I can do do eager updating on the entire file, but (to my knowledge) I can't limit this to a specific sub-dependency.

Describe the solution you'd like

I'd love a feature similar to what pdm update currently does, but which only updates the versions in the lock file.

$ pdm <update-lock-command> starlette

The text was updated successfully, but these errors were encountered:

Allda · 2024-02-19T11:20:05Z

This is the feature I am also looking for as I need to deal with the same problem when updating vulnerable indirect dependencies. So far I haven't found a how to do it properly so my workaround for this is to:

Add indirect dependency to direct ones
Update the dependency
Remove the dependency from pyproject.toml

This is not an ideal workflow but it works as a workaround and I am looking for guidance or enhancement!

rasmus-d · 2024-02-26T16:10:00Z

Hi!
If this issue is still requested I would like to work on this issue together with some classmates -- as part of a course in software development. Could i get the issue assigned to me?

frostming · 2024-02-27T00:29:29Z

@rasmus-d Thanks, feel free to get start working on it.

Add the `--allow-transitive` argument handler to the class `Command` and its `do_update` method in `update.py`. Add logic for updating transitive dependencies in `update.py`. If the specified package is not in `pyproject.toml`, and the '--allow-transitive' flag is used, then try to match the package name with packages in the lock file instead. Ensures transitive dependencies are not written to `pyproject.toml`. Add three tests for `--allow-transitive` flag. Add shell completions for bash, fish, powershell and zshell. Resolves pdm-project#2628 Co-authored-by: Victor Stenmark <67392286+Stenmarken@users.noreply.github.com> Co-authored-by: Ludvig Skare <131673712+lskare@users.noreply.github.com> Co-authored-by: Sebastian Montén <94540990+sebastianmonten@users.noreply.github> Co-authored-by: Dante Astorga Castillo <95686424+dantevi@users.noreply.github.com>

…#2689) Add the `--allow-transitive` argument handler to the class `Command` and its `do_update` method in `update.py`. Add logic for updating transitive dependencies in `update.py`. If the specified package is not in `pyproject.toml`, and the '--allow-transitive' flag is used, then try to match the package name with packages in the lock file instead. Ensures transitive dependencies are not written to `pyproject.toml`. Add three tests for `--allow-transitive` flag. Add shell completions for bash, fish, powershell and zshell. Resolves #2628 Co-authored-by: Victor Stenmark <67392286+Stenmarken@users.noreply.github.com> Co-authored-by: Ludvig Skare <131673712+lskare@users.noreply.github.com> Co-authored-by: Sebastian Montén <94540990+sebastianmonten@users.noreply.github> Co-authored-by: Dante Astorga Castillo <95686424+dantevi@users.noreply.github.com> Co-authored-by: Rasmus Danielsson <91320451+rasmus-d@users.noreply.github.com>

…#2689) Add the `--allow-transitive` argument handler to the class `Command` and its `do_update` method in `update.py`. Add logic for updating transitive dependencies in `update.py`. If the specified package is not in `pyproject.toml`, and the '--allow-transitive' flag is used, then try to match the package name with packages in the lock file instead. Ensures transitive dependencies are not written to `pyproject.toml`. Add three tests for `--allow-transitive` flag. Add shell completions for bash, fish, powershell and zshell. Resolves #2628 Co-authored-by: Victor Stenmark <67392286+Stenmarken@users.noreply.github.com> Co-authored-by: Ludvig Skare <131673712+lskare@users.noreply.github.com> Co-authored-by: Sebastian Montén <94540990+sebastianmonten@users.noreply.github> Co-authored-by: Dante Astorga Castillo <95686424+dantevi@users.noreply.github.com> Co-authored-by: Rasmus Danielsson <91320451+rasmus-d@users.noreply.github.com> Signed-off-by: Frost Ming <me@frostming.com>

Vinno97 added the ⭐ enhancement Improvements for existing features label Feb 9, 2024

frostming assigned rasmus-d Feb 27, 2024

sebastianmonten mentioned this issue Feb 27, 2024

not related! : P7 Add UML for features affected by our Issue KTH-DD2480-Fundsoft/pdm#13

Closed

This was referenced Mar 13, 2024

feat: allow updating specific sub-deps with --allow-transitive flag #2689

Merged

not related KTH-DD2480-Fundsoft/pdm#57

Closed

frostming closed this as completed in bd92b07 Mar 22, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Option to update specific sub-dependency in lock file #2628

Option to update specific sub-dependency in lock file #2628

Vinno97 commented Feb 9, 2024

Allda commented Feb 19, 2024

rasmus-d commented Feb 26, 2024

frostming commented Feb 27, 2024

Option to update specific sub-dependency in lock file #2628

Option to update specific sub-dependency in lock file #2628

Comments

Vinno97 commented Feb 9, 2024

Is your feature/enhancement proposal related to a problem? Please describe.

Describe the solution you'd like

Allda commented Feb 19, 2024

rasmus-d commented Feb 26, 2024

frostming commented Feb 27, 2024