fossas
FEATURE: Filter out npm production dependencies from analysis
Our package.json looks like this:
{
"dependencies": {
"@somename/some2pp": "3.11.0", // This is a 2PP
"d3": "5.7.0", // This is a 3PP
}
}
In the analysis we want to filter out @somename/some2pp and its dependency tree (all its deep dependencies) completely from the analysis. So when we later do fossa report attribution it isn't even in the report. It is a 2PP developed by us that we have no need to analyze.
I am aware it is possible to ignore dependencies in the UI, but this is not a good workflow for a few reasons.
- If we e.g. ignore the deep dependencies of
@somename/some2ppin the UI we might make a mistake, as some other direct dependency might have the same deep dependency. In that scenario we do not want to ignore it. - Even if we keep track of deep dependencies shared between the 2PP and other 3PPs, it is a manual labor. In addition, if we do updates to either the direct dependency 2PP or 3PP the deep dependencies might change, requiring even more manual work. This defeats the purpose of an automation tool.
There should be some way to do this directly with .yaml files in the repo to ignore a direct dependency, so it is not scanned at all.
Hi @thernstig, can you try scanning with the latest version of the fossa cli? We have delivered a few fixes for scanning npm dev dependencies over the last few months and there is a chance your issue is resolved.
@zlav I am almost always using the latest version of the fossa cli. This issue is a feature request and I have not seen in the release notes this is supported. In addition, it would have to be documented how it works.
Basically what I am saying is that I think ignoring dependencies with "config-as-code" is far more powerful than in the UI. Code follows along with branches, that might have different configuration, etc., which the UI does not support in the same way.