This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2022-11-11
Channels
- # asami (19)
- # babashka (41)
- # beginners (115)
- # biff (7)
- # calva (78)
- # clj-kondo (29)
- # cljs-dev (9)
- # clojure (39)
- # clojure-europe (17)
- # clojure-gamedev (29)
- # clojure-nl (1)
- # clojure-norway (9)
- # clojure-spec (2)
- # clojure-uk (3)
- # clojurescript (7)
- # core-async (26)
- # cursive (16)
- # datomic (13)
- # emacs (1)
- # events (5)
- # fulcro (2)
- # funcool (4)
- # gratitude (1)
- # helix (1)
- # holy-lambda (1)
- # humbleui (1)
- # introduce-yourself (4)
- # java (1)
- # jobs (2)
- # jobs-discuss (9)
- # lsp (28)
- # matcher-combinators (2)
- # mathematics (1)
- # membrane (1)
- # nbb (12)
- # off-topic (10)
- # pathom (52)
- # polylith (38)
- # portal (32)
- # re-frame (4)
- # reagent (16)
- # reitit (2)
- # remote-jobs (1)
- # reveal (1)
- # rewrite-clj (10)
- # sci (67)
- # shadow-cljs (45)
- # squint (1)
- # tools-build (13)
- # tools-deps (16)
I recently made a security report using nvd-clojure and I got some terminal output that looks like this (showing mostly issues with transitive dependencies). Is there a one-liner I can use to quickly figure out which of my explicit dependencies result in one of these transitive dependencies?
When I run clj -X:deps tree
the output isn’t that easy to sort through (or grep for ancestors), so I spend a lot of time searching through it to figure things out. I’ve tried making a graph using tools.deps.graph
which would be idea, except the output is a bitmap image which can’t be searched…
With clj -X:deps tree :format :edn
you can get the output as data, which might help a bit
But it doesn't solve your other problem (some dependencies not appearing at all)
yeah… anyway, I found that using grep -B 20
solves grepping the result pretty well, so that at least works ok
You might try clj-watson to get a little better output, not sure if it will address your concerns
I turns out that it was because aliases are not considered when you use -X:deps
, while they work with -SDeps
. What’s up with that?
(pointed out to me by the wonderful @U7PBP4UVA)
I see: https://ask.clojure.org/index.php/10245/clj-x-deps-tree-ignores-sdeps?show=10245#q10245
Is there a way to figure out which :mvn/repos
entry in deps.edn
provides which dependency?
not currently (and there's not necessarily only one answer)
but this would be a useful thing to know
You can see it during download so doing something like
clj -Sdeps '{:mvn/local-repo "tmp"}' -Stree
will show you in the output (and leave you the full lib set in ./tmp)Oh, nice, that will do, thanks a lot. 🙂 My use case is a custom maven repo that I suspect is no longer useful, but I'd like a confirmation before I remove it. Your workaround is good enough but if this is something that you'd consider improving let me know if you'd like to have the question on http://ask.clojure.org and I'll post it.
go for it, have been thinking it would be useful to have something like this for a while