sbt-updates icon indicating copy to clipboard operation
sbt-updates copied to clipboard

Published 20 hours ago verified publisher icon rtimush

Include transitive dependencies

Open adamnfish opened this issue 7 years ago • 7 comments

It'd be nice to be able to see updates for all a project's dependencies, rather than just those explicitly mentioned in the libraryDependencies setting. This could be achieved via a setting or a separate task

In particular, if a library pulled in by one of your project's dependencies has a vulnerability it's great to be able to work out if there's a patch-upgrade available that would fix it. That's fairly tedious to do by hand, this plugin would make that very easy if it were possible. I understand it's much more complicated than the current behaviour, perhaps combining this plugin with sbt-dependency-graph would be the easiest way to achieve it.

I'm interested to hear your thoughts on whether you think this would be a useful addition or if you feel it would be better as a separate tool.

adamnfish avatar Apr 13 '17 11:04 adamnfish

It is rather easy to implement, but I intentionally decided to display dependencies for direct dependencies only. I agree, this may be useful to be able to find patch updates that may fix vulnerabilities, probably with a separate task (or an argument to the existing task).

rtimush avatar Apr 13 '17 12:04 rtimush

If you've a pointer for me about how to retrieve the full, resolved list of dependencies I'll be happy to give it a crack.

adamnfish avatar Apr 13 '17 13:04 adamnfish

I'd say one of *Classpath (probably managedClasspath) tasks can give you a list of dependencies. If I am not mistaken they are returned as Attributed with maven/ivy coordinates as attributes.

rtimush avatar Apr 15 '17 11:04 rtimush

Plugin also does not show dependencies of subprojects.

lazy val commonModule = project.in(file("common"))
  .settings(
      libraryDependencies ++= Seq(
      "io.circe" %% "circe-generic" % "0.7.0"
    )
  )

lazy val root = project.in(file("."))
  .dependsOn(commonModule)

Running sbt dependencyUpdates will not show here that the new circe-generic version 0.8.0 is available.

Should I submit a separate issue?

mxl avatar Aug 16 '17 19:08 mxl

Adding .aggregate(commonModule) to root solved the problem. If you think such behavior is unexpected let's indeed continue in a separate issue.

rtimush avatar Aug 16 '17 20:08 rtimush

Preliminary implementation is on the https://github.com/rtimush/sbt-updates/tree/transitive-updates branch and available as 0.3.5-2+ga326a8e

rtimush avatar Jan 19 '18 14:01 rtimush

@rtimush that branch is no longer available, so I am not sure if this feature was eventually merged or abandoned

jtjeferreira avatar Sep 27 '21 13:09 jtjeferreira