Skip to content

Conversation

@tjugdev
Copy link
Contributor

@tjugdev tjugdev commented Oct 15, 2025

Overview

This PR fixes the pipenv strategy to differentiate between direct and transitive dependencies. We are able to make this distinction via static analysis, but generating edges requires the pipenv graph command, and is thus only available as a dynamic strategy. Neither Pipfile.lock nor pipenv graph adequately identify which dependences are direct, so I've introduced parsing of Pipfile in order to accurately make this distinction.

I also included a fix for some broken links in the Swift docs.

Acceptance criteria

Pipenv correctly differentiates between direct and transitive dependencies.

Testing plan

  • Create a pipenv project and install the requests package. Confirm that the dependency graph looks correct
  • Install the package langchain as well which itself also depends on requests. Confirm that langchain and requests are both reported as direct dependencies.
  • Unit tests updated to test direct dependencies, including the second case above where a direct dependency is also a transitive dependency.

Risks

Metrics

References

  • ANE-1400: Pipenv must differentiate between direct and transitive deps

Checklist

  • I added tests for this PR's change (or explained in the PR description why tests don't make sense).
  • If this PR introduced a user-visible change, I added documentation into docs/.
  • If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
  • If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
  • If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
  • If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.

@tjugdev tjugdev requested a review from a team as a code owner October 15, 2025 22:23
@tjugdev tjugdev requested a review from csasarak October 15, 2025 22:23
Copy link
Contributor

@csasarak csasarak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good! All the comments I wrote are optional.

Could you update the Changelog.md file though? I don't see any reason not to release this. I can help you through that process if you haven't done it yet.

Comment on lines +62 to +64
PipfileToml
(pipfilePackageList ["pkgOne"])
(pipfilePackageList ["pkgTwo"])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Optional] We use records positionally a lot in the CLI. It quickly becomes unwieldy and hard to read when it's a record with many fields. If I wrote a function with seven arguments or something you'd probably, correctly, call it out in a review. Personally, I'd like it if we all moved towards being a bit more explicit.

There's even an action HLS has to do it for you.

This particular case looks fine to me if you want to keep it though, or disagree with the idea above.

addWithEnv env sourcesMap name dep = do
let pkg = PipPkg name (Text.drop 2 <$> fileDepVersion dep)
-- Use the Pipfile as the source of truth for which dependencies are direct
let graphFn = if Map.member name pipfilePackages || Map.member name pipfileDevPackages then direct else deep
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nit] It may be more straightforward to just inline this if expression.

@tjugdev tjugdev merged commit 46374e2 into master Oct 17, 2025
19 of 20 checks passed
@tjugdev tjugdev deleted the pipenv-deps branch October 17, 2025 20:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants