pdm-project
Option to update specific sub-dependency in lock file
Is your feature/enhancement proposal related to a problem? Please describe.
At work, we use scanning tools to check if there are any known vulnerabilities in our images before we deploy. This is straightforward if the package is defined in the pyproject.tom using pdm update, but often the offending package is a sub-dependency that's only defined in the lock file.
For example, if a package like FastAPI has a vulnerability, I can do pdm update fastapi. If Starlette, a dependency of FastAPI, has a vulnerability, this does not work.
$ pdm update starlette
[ProjectError]: starlette does not exist in default dependencies.
I know I can do do eager updating on the entire file, but (to my knowledge) I can't limit this to a specific sub-dependency.
Describe the solution you'd like
I'd love a feature similar to what pdm update currently does, but which only updates the versions in the lock file.
$ pdm <update-lock-command> starlette
This is the feature I am also looking for as I need to deal with the same problem when updating vulnerable indirect dependencies. So far I haven't found a how to do it properly so my workaround for this is to:
- Add indirect dependency to direct ones
- Update the dependency
- Remove the dependency from
pyproject.toml
This is not an ideal workflow but it works as a workaround and I am looking for guidance or enhancement!
Hi! If this issue is still requested I would like to work on this issue together with some classmates -- as part of a course in software development. Could i get the issue assigned to me?
