liquidz
commented
1 year ago @pmonks Thank you for your suggestion! Indeed, that sounds very useful.
I'll consider implementation.
Closed pmonks closed 1 year ago
liquidz
commented
1 year ago @pmonks Thank you for your suggestion! Indeed, that sounds very useful.
I'll consider implementation.
liquidz
commented
1 year ago @pmonks Sorry for so late reaction.
I've implemented this feature in dev branch for trial.
Could you try dev branch with --transitive option? (--no-changes is recommeded since --transitive may lead too many deps)
liquidz
commented
1 year ago Moved to feature/transitive branch.
pmonks
commented
1 year ago I tried the feature/transitive branch, but it appears to hang:
$ git clone https://github.com/liquidz/antq.git
Cloning into 'antq'...
remote: Enumerating objects: 6163, done.
remote: Counting objects: 100% (2690/2690), done.
remote: Compressing objects: 100% (1027/1027), done.
remote: Total 6163 (delta 1694), reused 2149 (delta 1640), pack-reused 3473
Receiving objects: 100% (6163/6163), 750.34 KiB | 396.00 KiB/s, done.
Resolving deltas: 100% (3662/3662), done.
$ cd antq/
$ git switch feature/transitive
branch 'feature/transitive' set up to track 'origin/feature/transitive'.
Switched to a new branch 'feature/transitive'
$ clj -A:outdated --transitive
WARNING: Implicit use of clojure.main with options is deprecated, use -M
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
Downloading: cloverage/cloverage/maven-metadata.xml from clojars
Downloading: org/slf4j/slf4j-nop/maven-metadata.xml from central
Downloading: org/slf4j/slf4j-nop/2.0.7/slf4j-nop-2.0.7.pom from central
Downloading: lambdaisland/deep-diff2/2.8.190/deep-diff2-2.8.190.pom from clojars
Downloading: lambdaisland/kaocha/1.82.1306/kaocha-1.82.1306.pom from clojars
Downloading: com/github/liquidz/build.edn/0.9.203/build.edn-0.9.203.pom from clojars
Downloading: metosin/malli/0.11.0/malli-0.11.0.pom from clojars
Downloading: cloverage/cloverage/1.2.4/cloverage-1.2.4.pom from clojars
Downloading: org/tcrawley/dynapath/1.1.0/dynapath-1.1.0.pom from central
Downloading: org/clojure/core.rrb-vector/0.1.2/core.rrb-vector-0.1.2.pom from central
Downloading: progrock/progrock/0.1.2/progrock-0.1.2.pom from clojars
Downloading: com/nextjournal/beholder/1.0.2/beholder-1.0.2.pom from clojars
Downloading: lambdaisland/clj-diff/1.4.78/clj-diff-1.4.78.pom from clojars
Downloading: hawk/hawk/0.2.11/hawk-0.2.11.pom from clojars
Downloading: io/github/clojure/tools.build/0.9.3/tools.build-0.9.3.pom from central
Downloading: riddley/riddley/0.2.0/riddley-0.2.0.pom from clojars
Downloading: borkdude/dynaload/0.3.5/dynaload-0.3.5.pom from clojars
Downloading: mvxcvi/arrangement/2.1.0/arrangement-2.1.0.pom from clojars
Downloading: borkdude/edamame/1.3.20/edamame-1.3.20.pom from clojars
Downloading: fipp/fipp/0.6.26/fipp-0.6.26.pom from clojars
Downloading: lambdaisland/tools.namespace/0.1.247/tools.namespace-0.1.247.pom from clojars
Downloading: pogonos/pogonos/0.2.1/pogonos-0.2.1.pom from clojars
Downloading: io/methvin/directory-watcher/0.17.3/directory-watcher-0.17.3.pom from central
Downloading: net/incongru/watchservice/barbary-watchservice/1.0/barbary-watchservice-1.0.pom from central
Downloading: org/babashka/cli/0.5.40/cli-0.5.40.pom from clojars
Downloading: net/incongru/watchservice/barbary-watchservice/1.0/barbary-watchservice-1.0.jar from central
Downloading: io/methvin/directory-watcher/0.17.3/directory-watcher-0.17.3.jar from central
Downloading: com/nextjournal/beholder/1.0.2/beholder-1.0.2.jar from clojars
Downloading: lambdaisland/clj-diff/1.4.78/clj-diff-1.4.78.jar from clojars
Downloading: fipp/fipp/0.6.26/fipp-0.6.26.jar from clojars
Downloading: org/clojure/core.rrb-vector/0.1.2/core.rrb-vector-0.1.2.jar from central
Downloading: org/slf4j/slf4j-nop/2.0.7/slf4j-nop-2.0.7.jar from central
Downloading: mvxcvi/arrangement/2.1.0/arrangement-2.1.0.jar from clojars
Downloading: org/tcrawley/dynapath/1.1.0/dynapath-1.1.0.jar from central
Downloading: io/github/clojure/tools.build/0.9.3/tools.build-0.9.3.jar from central
Downloading: hawk/hawk/0.2.11/hawk-0.2.11.jar from clojars
Downloading: riddley/riddley/0.2.0/riddley-0.2.0.jar from clojars
Downloading: cloverage/cloverage/1.2.4/cloverage-1.2.4.jar from clojars
Downloading: borkdude/edamame/1.3.20/edamame-1.3.20.jar from clojars
Downloading: borkdude/dynaload/0.3.5/dynaload-0.3.5.jar from clojars
Downloading: org/babashka/cli/0.5.40/cli-0.5.40.jar from clojars
Downloading: pogonos/pogonos/0.2.1/pogonos-0.2.1.jar from clojars
Downloading: metosin/malli/0.11.0/malli-0.11.0.jar from clojars
Downloading: progrock/progrock/0.1.2/progrock-0.1.2.jar from clojars
Downloading: lambdaisland/tools.namespace/0.1.247/tools.namespace-0.1.247.jar from clojars
Downloading: com/amazonaws/aws-java-sdk/1.4.3/aws-java-sdk-1.4.3.pom from central
Downloading: org/codehaus/jackson/jackson-mapper-asl/1.8.9/jackson-mapper-asl-1.8.9.pom from central
Downloading: org/codehaus/jackson/jackson-core-asl/1.8.9/jackson-core-asl-1.8.9.pom from central
Downloading: org/codehaus/jackson/jackson-core-asl/1.8.9/jackson-core-asl-1.8.9.jar from central
Downloading: javax/enterprise/cdi-api/1.2/cdi-api-1.2.jar from central
Downloading: org/codehaus/jackson/jackson-mapper-asl/1.8.9/jackson-mapper-asl-1.8.9.jar from central
Downloading: com/amazonaws/aws-java-sdk/1.4.3/aws-java-sdk-1.4.3.jar from central
Downloading: javax/interceptor/javax.interceptor-api/1.2/javax.interceptor-api-1.2.pom from central
Downloading: javax/el/javax.el-api/3.0.0/javax.el-api-3.0.0.pom from central
Downloading: org/apache/httpcomponents/httpclient/4.1/httpclient-4.1.pom from central
Downloading: org/apache/httpcomponents/httpcomponents-client/4.1/httpcomponents-client-4.1.pom from central
Downloading: org/apache/httpcomponents/project/4.1.1/project-4.1.1.pom from central
Downloading: commons-codec/commons-codec/1.4/commons-codec-1.4.pom from central
Downloading: org/apache/httpcomponents/httpcore/4.1/httpcore-4.1.pom from central
Downloading: org/apache/commons/commons-parent/11/commons-parent-11.pom from central
Downloading: org/apache/httpcomponents/httpcomponents-core/4.1/httpcomponents-core-4.1.pom from central
Downloading: javax/el/javax.el-api/3.0.0/javax.el-api-3.0.0.jar from central
Downloading: javax/interceptor/javax.interceptor-api/1.2/javax.interceptor-api-1.2.jar from central
Downloading: commons-codec/commons-codec/1.4/commons-codec-1.4.jar from central
Downloading: org/apache/httpcomponents/httpclient/4.1/httpclient-4.1.jar from central
Downloading: org/apache/httpcomponents/httpcore/4.1/httpcore-4.1.jar from central
[##################################################] 144/144
<Ctrl+C after some time>
$ clj -A:outdated --transitive
WARNING: Implicit use of clojure.main with options is deprecated, use -M
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
[##################################################] 144/144
<Ctrl+C after some time>@pmonks Sorry for late reply. Could you tell me a repository which can reproduce the hanging if possible?
pmonks
commented
1 year ago @liquidz I just ran it on itself to begin with - the commands I used (minus output) were:
$ git clone https://github.com/liquidz/antq.git
$ cd antq/
$ git switch feature/transitive
$ clj -A:outdated --transitive@pmonks Ah, I missed that. Thank you! It must be taking time to fetch changes URLs.
In my environment, it took some time but the results were reported.
As mentioned above(https://github.com/liquidz/antq/issues/204#issuecomment-1518439014), if there are many outdated dependencies, it will take time to get changes URLs, so I recommend using the --no-changes option.
$ clj -A:outdated --transitive --no-changes@liquidz ah yes it works (and quickly!) with the --no-changes option. I reckon this is good to merge, if you agree?
liquidz
commented
1 year ago @pmonks Just released v2.5.1089 :)
There are cases where it is useful to know about outdated transitive dependencies, since these can (sometimes) be safely overridden in a package's own dependency set without having to wait for the intermediate dependency to release a new version with upgraded dependencies. This is especially important for libraries that are commonly found as transitive dependencies in Clojure projects, but have a long history of security vulnerabilities; Jackson being a prime example.
That said, I don't think this behaviour should be the default, and could be gated behind an option such as
--transitive.