Re: [elixir-core:11502] Determine why a package is being pulled

José Valim Fri, 18 Aug 2023 10:21:58 -0700

mix deps.tree could help you here. My suspicion is either a path or a git
dependency, as their deps are not in the lock file. A branch called
"allow-poison-5" is highly suspicious.


We could also introduce a mix deps.why or a mix deps.tree --filter option
to help narrow down those cases. Proposals and pull requests are welcome!



On Fri, Aug 18, 2023 at 7:04 PM Austin Ziegler <halosta...@gmail.com> wrote:

> It would be useful to have a `mix deps.why` or `mix hex.why` task similar
> to `yarn why <package>` or `pnpm why <package>`, because I’m trying to
> figure out why `mix deps.get` is retrieving `poison`, when it is not in any
> of my `mix.exs` files (I am using an umbrella application).
>
> ```console
> $ ag :poison $(fd mix.exs)
> ```
>
> Yet it is in my `mix.lock`:
>
> ```console
> $ ag '"poison":' mix.lock -c
> 1
> $ mix deps.unlock poison
> Unlocked deps:
> * poison
> $ ag '"poison":' mix.lock -c
> $ mix deps.get
> Resolving Hex dependencies...
> Resolution completed in 0.67s
> Unchanged:
>   [lots of entries]
> New:
>   poison 5.0.0
> $ ag '"poison":' mix.lock -c
> 1
> ```
>
> Poison is otherwise mentioned in my `mix.lock`, but *only* because it is
> an optional dependency for other dependencies:
>
> ```
> $ ag poison mix.lock
> mix.lock
> 7:  "app_identity": {:hex, :app_identity, "1.3.1",
> "6bf4970a433d7504a091b9ea57e6af4d7d23db76e7cc1577a6680e05823be7b2", [:mix],
> [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:plug,
> "~> 1.0", [hex: :plug, repo: "hexpm", optional: true]}, {:poison, ">=
> 3.0.0", [hex: :poison, repo: "hexpm", optional: true]}, {:telemetry, "~>
> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: true]}, {:tesla,
> "~> 1.0", [hex: :tesla, repo: "hexpm", optional: true]}], "hexpm",
> "70b92d03fdf1140e26a71bad5c042d9474686999457deecaad7b30f0a794b918"},
> 45:  "gen_queue_opq": {:git, "
> https://github.com/KineticCafe/gen_queue_opq.git";,
> "a0552879e3e17441c33e52e8688981b5c34f0375", [branch: "allow-poison-5"]},
> 77:  "poison": {:hex, :poison, "5.0.0",
> "d2b54589ab4157bbb82ec2050757779bfed724463a544b6e20d79855a9e43b24", [:mix],
> [{:decimal, "~> 2.0", [hex: :decimal, repo: "hexpm", optional: true]}],
> "hexpm",
> "11dc6117c501b80c62a7594f941d043982a1bd05a1184280c0d9166eb4d8d3fc"},
> 87:  "tesla": {:hex, :tesla, "1.7.0",
> "a62dda2f80d4f8a925eb7b8c5b78c461e0eb996672719fe1a63b26321a5f8b4e", [:mix],
> [{:castore, "~> 0.1 or ~> 1.0", [hex: :castore, repo: "hexpm", optional:
> true]}, {:exjsx, ">= 3.0.0", [hex: :exjsx, repo: "hexpm", optional: true]},
> {:finch, "~> 0.13", [hex: :finch, repo: "hexpm", optional: true]}, {:fuse,
> "~> 2.4", [hex: :fuse, repo: "hexpm", optional: true]}, {:gun, "~> 1.3",
> [hex: :gun, repo: "hexpm", optional: true]}, {:hackney, "~> 1.6", [hex:
> :hackney, repo: "hexpm", optional: true]}, {:ibrowse, "4.4.0", [hex:
> :ibrowse, repo: "hexpm", optional: true]}, {:jason, ">= 1.0.0", [hex:
> :jason, repo: "hexpm", optional: true]}, {:mime, "~> 1.0 or ~> 2.0", [hex:
> :mime, repo: "hexpm", optional: false]}, {:mint, "~> 1.0", [hex: :mint,
> repo: "hexpm", optional: true]}, {:msgpax, "~> 2.3", [hex: :msgpax, repo:
> "hexpm", optional: true]}, {:poison, ">= 1.0.0", [hex: :poison, repo:
> "hexpm", optional: true]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex:
> :telemetry, repo: "hexpm", optional: true]}], "hexpm",
> "2e64f01ebfdb026209b47bc651a0e65203fcff4ae79c11efb73c4852b00dc313"},
> ```
>
> In short, I don’t know why `poison` is being added back, and it would be
> nice if there was an equivalent to `pnpm why <dependency>`. I don’t know
> enough about how dependency resolution currently works to work on a PR, but
> I think that this would be of value.
>
> -a
> --
> Austin Ziegler • halosta...@gmail.com • aus...@halostatue.ca
> http://www.halostatue.ca/ • http://twitter.com/halostatue
>
> --
> You received this message because you are subscribed to the Google Groups
> "elixir-lang-core" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to elixir-lang-core+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/elixir-lang-core/CAJ4ekQsrfEaOWz0FBO%2BdSPD-m7AzrLWhMbGC-r0g9%2BOJXp%3DHTg%40mail.gmail.com
> <https://groups.google.com/d/msgid/elixir-lang-core/CAJ4ekQsrfEaOWz0FBO%2BdSPD-m7AzrLWhMbGC-r0g9%2BOJXp%3DHTg%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"elixir-lang-core" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to elixir-lang-core+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/elixir-lang-core/CAGnRm4JOY936%3DBHRQnSzVMMsjZpC2V175-WKTgNMD-oDLaSbdA%40mail.gmail.com.

Re: [elixir-core:11502] Determine why a package is being pulled

Reply via email to