Recursive check?

[markaddleman]

I'd like to check dependencies of dependencies for out-of-date versions.

[Olical]

Hmm, what's the reasoning behind this? And it would require the dependency to publish their deps.edn within their JAR which I doubt many would. I don't think this is feasible?

[markaddleman]

Oh, that's a good point. The use case is that I have have a dependency whose transitive dependency is out of date. I need to exclude its dependency and manually bring in a later version. I was thinking it would be nice to have a check for this condition.

[Olical]

:thinking: might be easier using clj -Stree or the lein equivalent + some sorting or something in combination with what depot does already. Maybe that's too awkward but I don't personally think checking versions of transitive dependencies is a goal of Depot.

[markaddleman]

Yep, I completely agree after thinking how it would actually work.

[pmonks]

I hate to Lazarus this issue, but I have the same use case described above, and given that there are (very useful!) implementations of this in other build tools (Maven's dependencies plugin, lein-ancient, etc.) I'm surprised that this isn't a goal of the project.

@Olical if it's not too much to ask, would you care to go into more detail about why this is a non-goal? I get that the implementation might be tricky, but given that a) this is valuable functionality, and b) there's prior art, that doesn't seem like it could be the sole reason not to have it as an objective.

[Olical]

Would deps-ancient or antq do the trick? They both seem great!

This codebase is now an amalgamation of other people's pull requests so I'm reluctant to dive in and do anything with it any more. I've got my hands full with work on Conjure and regular £££ work. With hindsight, I should've kept this project super simple and promoted others building forks etc since there's no one size fits all solution for this problem space.

Everyone has their own trade offs, wants and needs, there's no way I could ever support all of them I'm afraid. One of those things is checking every dependency, even those of transient dependencies. I've never once had a need for this so I presume it's for a very specific workflow. The best bet may be forking an existing tool that comes close to get it to work how you want.

I'm not really maintaining this project right now so I'd recommend trying to find a working solution with one of the alternatives out there.

[pmonks]

For any future readers - antq doesn't recursively check dependency versions either, and deps-ancient no longer seems to be functional (I get nonsensical output on my current project).

FWIW @seancorfield has explored this space in some detail, and his solution is described here.