CPLAT-11298 detect builders

[aaronstgeorge-wf]

Motivation

There are several popular packages that currently have to be ignored when running dependency_validator because they are only used for the builder they provide, which is something that gets applied automatically when running build_runner and not something we can detect via imports in the source code.

Changes

Look up the source for each dependency in ~/.pub-cache to see if a build.yaml exists, parse it, and see if any builders are defined. If a dependency defines builder(s), we should consider it "used".

Release Notes

Review

See CONTRIBUTING.md for more details on review types (+1 / QA +1 / +10) and code review process.

Please review:

QA Checklist

• [ ] Tests were updated and provide good coverage of the changeset and other affected code
• [ ] Manual testing was performed if needed
  • [ ] Steps from PR author:
  • [ ] Anything falling under manual testing criteria outlined in CONTRIBUTING.md

Merge Checklist

While we perform many automated checks before auto-merging, some manual checks are needed:

• [ ] A Client Platform member has reviewed these changes
• [ ] There are no unaddressed comments - this check can be automated if reviewers use the "Request Changes" feature
• [ ] For release PRs - Version metadata in Rosie comment is correct

[aviary3-wk]

Security Insights

No security relevant content was detected by automated scans.

Action Items

• Review PR for security impact; comment "security review required" if needed or unsure

• Verify aviary.yaml coverage of security relevant code

  Questions or Comments? Reach out on Slack: #support-infosec.