search

Wilfred / difftastic

a structural diff that understands syntax 🟥🟩
https://difftastic.wilfred.me.uk/
MIT License
21.18k stars 347 forks source link

Dependency graph is huge #786

Closed catskul closed 4 days ago

catskul commented 5 days ago

I was looking to get use of difftastic approved at my workplace and got rejected because analyzing the license and security implications was too difficult due to large number of dependencies.

According to github there 2,565 dependencies:

https://github.com/Wilfred/difftastic/network/dependencies

That seems unlikely. Any chance that this is a mistake, or that there's a single portion of this that is causing that explosion that could be called out to make this easier to analyze?

Wilfred commented 4 days ago

Huh, I'd not seen that GitHub feature before. It looks like it's scanning the dependencies of all the tree-sitter vendored parsers and listing them. For example, it's counting the release tooling from the YAML parser: https://github.com/Wilfred/difftastic/network/dependencies?page=65

None of the package.lock or yarn.lock files are relevant for difftastic. The vendored parsers provide a generated C file, which is checked in, and no other code from the parser is used (except syntax highlighting definfitions).

Here's the full dependency graph of difftastic:

$ cargo tree
difftastic v0.62.0 (/home/wilfred/projects/difftastic)
├── bumpalo v3.14.0
├── clap v3.2.25
│   ├── atty v0.2.14
│   │   └── libc v0.2.155
│   ├── bitflags v1.3.2
│   ├── clap_lex v0.2.4
│   │   └── os_str_bytes v6.6.1
│   ├── indexmap v1.9.3
│   │   └── hashbrown v0.12.3
│   │   [build-dependencies]
│   │   └── autocfg v1.1.0
│   ├── once_cell v1.19.0
│   ├── strsim v0.10.0
│   ├── termcolor v1.4.1
│   ├── terminal_size v0.2.6
│   │   └── rustix v0.37.27
│   │       ├── bitflags v1.3.2
│   │       ├── io-lifetimes v1.0.11
│   │       │   └── libc v0.2.155
│   │       ├── libc v0.2.155
│   │       └── linux-raw-sys v0.3.8
│   └── textwrap v0.16.1
│       └── terminal_size v0.2.6 (*)
├── const_format v0.2.32
│   └── const_format_proc_macros v0.2.32 (proc-macro)
│       ├── proc-macro2 v1.0.79
│       │   └── unicode-ident v1.0.12
│       ├── quote v1.0.35
│       │   └── proc-macro2 v1.0.79 (*)
│       └── unicode-xid v0.2.4
├── crossterm v0.27.0
│   ├── bitflags v2.5.0
│   ├── libc v0.2.155
│   ├── mio v0.8.11
│   │   ├── libc v0.2.155
│   │   └── log v0.4.21
│   ├── parking_lot v0.12.1
│   │   ├── lock_api v0.4.11
│   │   │   └── scopeguard v1.2.0
│   │   │   [build-dependencies]
│   │   │   └── autocfg v1.1.0
│   │   └── parking_lot_core v0.9.9
│   │       ├── cfg-if v1.0.0
│   │       ├── libc v0.2.155
│   │       └── smallvec v1.13.2
│   ├── signal-hook v0.3.17
│   │   ├── libc v0.2.155
│   │   └── signal-hook-registry v1.4.1
│   │       └── libc v0.2.155
│   └── signal-hook-mio v0.2.3
│       ├── libc v0.2.155
│       ├── mio v0.8.11 (*)
│       └── signal-hook v0.3.17 (*)
├── glob v0.3.1
├── hashbrown v0.14.3
│   ├── ahash v0.8.11
│   │   ├── cfg-if v1.0.0
│   │   ├── once_cell v1.19.0
│   │   └── zerocopy v0.7.32
│   │   [build-dependencies]
│   │   └── version_check v0.9.4
│   └── allocator-api2 v0.2.16
├── home v0.5.5
├── humansize v2.1.3
│   └── libm v0.2.8
├── ignore v0.4.18
│   ├── crossbeam-utils v0.8.19
│   ├── globset v0.4.14
│   │   ├── aho-corasick v1.1.3
│   │   │   └── memchr v2.7.1
│   │   ├── bstr v1.9.1
│   │   │   ├── memchr v2.7.1
│   │   │   └── regex-automata v0.4.6
│   │   │       ├── aho-corasick v1.1.3 (*)
│   │   │       ├── memchr v2.7.1
│   │   │       └── regex-syntax v0.8.2
│   │   ├── log v0.4.21
│   │   ├── regex-automata v0.4.6 (*)
│   │   └── regex-syntax v0.8.2
│   ├── lazy_static v1.4.0
│   ├── log v0.4.21
│   ├── memchr v2.7.1
│   ├── regex v1.10.4
│   │   ├── aho-corasick v1.1.3 (*)
│   │   ├── memchr v2.7.1
│   │   ├── regex-automata v0.4.6 (*)
│   │   └── regex-syntax v0.8.2
│   ├── same-file v1.0.6
│   ├── thread_local v1.1.8
│   │   ├── cfg-if v1.0.0
│   │   └── once_cell v1.19.0
│   └── walkdir v2.5.0
│       └── same-file v1.0.6
├── itertools v0.11.0
│   └── either v1.10.0
├── lazy_static v1.4.0
├── libc v0.2.155
├── libmimalloc-sys v0.1.24
│   [build-dependencies]
│   └── cc v1.1.30
│       └── shlex v1.3.0
├── line-numbers v0.3.0
├── log v0.4.21
├── mimalloc v0.1.28
│   └── libmimalloc-sys v0.1.24 (*)
├── owo-colors v3.5.0
├── pretty_env_logger v0.5.0
│   ├── env_logger v0.10.2
│   │   ├── humantime v2.1.0
│   │   ├── is-terminal v0.4.12
│   │   │   └── libc v0.2.155
│   │   ├── log v0.4.21
│   │   ├── regex v1.10.4 (*)
│   │   └── termcolor v1.4.1
│   └── log v0.4.21
├── radix-heap v0.4.2
├── rayon v1.10.0
│   ├── either v1.10.0
│   └── rayon-core v1.12.1
│       ├── crossbeam-deque v0.8.5
│       │   ├── crossbeam-epoch v0.9.18
│       │   │   └── crossbeam-utils v0.8.19
│       │   └── crossbeam-utils v0.8.19
│       └── crossbeam-utils v0.8.19
├── regex v1.10.4 (*)
├── rustc-hash v2.0.0
├── serde v1.0.197
│   └── serde_derive v1.0.197 (proc-macro)
│       ├── proc-macro2 v1.0.79 (*)
│       ├── quote v1.0.35 (*)
│       └── syn v2.0.55
│           ├── proc-macro2 v1.0.79 (*)
│           ├── quote v1.0.35 (*)
│           └── unicode-ident v1.0.12
├── serde_json v1.0.114
│   ├── itoa v1.0.10
│   ├── ryu v1.0.17
│   └── serde v1.0.197 (*)
├── smallvec v1.13.2
├── strsim v0.10.0
├── strum v0.25.0
│   └── strum_macros v0.25.3 (proc-macro)
│       ├── heck v0.4.1
│       ├── proc-macro2 v1.0.79 (*)
│       ├── quote v1.0.35 (*)
│       ├── rustversion v1.0.14 (proc-macro)
│       └── syn v2.0.55 (*)
├── tree-sitter v0.20.10
│   └── regex v1.10.4 (*)
│   [build-dependencies]
│   └── cc v1.1.30 (*)
├── tree_magic_mini v3.1.5
│   ├── fnv v1.0.7
│   ├── home v0.5.5
│   ├── memchr v2.7.1
│   ├── nom v7.1.3
│   │   ├── memchr v2.7.1
│   │   └── minimal-lexical v0.2.1
│   ├── once_cell v1.19.0
│   └── petgraph v0.6.4
│       ├── fixedbitset v0.4.2
│       └── indexmap v2.2.6
│           ├── equivalent v1.0.1
│           └── hashbrown v0.14.3 (*)
├── typed-arena v2.0.2
├── unicode-width v0.1.11
└── wu-diff v0.1.2
[build-dependencies]
├── cc v1.1.30 (*)
├── rayon v1.10.0 (*)
└── version_check v0.9.4
[dev-dependencies]
├── assert_cmd v2.0.8
│   ├── bstr v1.9.1 (*)
│   ├── doc-comment v0.3.3
│   ├── predicates v2.1.1
│   │   ├── difflib v0.4.0
│   │   ├── float-cmp v0.9.0
│   │   │   └── num-traits v0.2.19
│   │   │       [build-dependencies]
│   │   │       └── autocfg v1.1.0
│   │   ├── itertools v0.10.5
│   │   │   └── either v1.10.0
│   │   ├── normalize-line-endings v0.3.0
│   │   ├── predicates-core v1.0.6
│   │   └── regex v1.10.4 (*)
│   ├── predicates-core v1.0.6
│   ├── predicates-tree v1.0.9
│   │   ├── predicates-core v1.0.6
│   │   └── termtree v0.4.1
│   └── wait-timeout v0.2.0
│       └── libc v0.2.155
├── predicates v2.1.1 (*)
└── pretty_assertions v1.4.0
    ├── diff v0.1.13
    └── yansi v0.5.1

Much smaller, and this is reporting some libraries repeatedly (e.g. libc is used by multiple dependencies.

analyzing the license and security implications was too difficult due to large number of dependencies.

If it helps, difftastic is under a MIT license, and only reads the files you give it. It never makes any network connections nor modify anything. Difftastic has also been packaged by a decent number of Linux distros, so they're also comfortable with the project.

Wilfred commented 4 days ago

Closing as I don't think there's anything actionable from me, but happy to discuss further.

catskul commented 1 day ago

Thanks for the response. I think we're going to do a light fork. If we learn anything useful I'll share here.