dfetch 0.13.0

A vendoring tool for fetching and managing external dependencies.

Vendor dependencies without the pain.

Dfetch copies source code directly into your project — no Git submodules, no SVN externals, no hidden external links. Fetch from Git, SVN, or plain archive URLs. Dependencies live as plain, readable files inside your own repository. You stay in full control of every line.

Dfetch supports Git, SVN, and archive files (.tar.gz, .tgz, .tar.bz2, .tar.xz, .zip). Archives can be verified with a cryptographic hash (sha256, sha384, or sha512) to guarantee integrity on every fetch. No proprietary formats, no lock-in — switch tools any time.

Other tools that do similar things are Zephyr's West, CMake ExternalProject, and other meta tools. See alternatives for a complete list. The broader concept is known as vendoring.

Getting started | Commands | Troubleshooting | Contributing

What Dfetch Does

• Vendor source-only dependencies — fully self-contained, no external links at build time
• VCS-agnostic: mix Git, SVN, and plain archive URLs freely in one manifest
• Fetch and verify archives with cryptographic integrity checks
• Apply local patches while keeping upstream syncable (dfetch diff / dfetch format-patch)
• Supply-chain ready: SBOM generation, license detection, multi-format CI reports
• Migrate from Git submodules or SVN externals in seconds (dfetch import)
• Declarative code reuse across projects (inner sourcing)

Install

Stable

pip install dfetch

latest version

pip install git+https://github.com/dfetch-org/dfetch.git#egg=dfetch

Binary distributions

Each release on the releases page provides installers for all major platforms.

• Linux .deb & .rpm
• macOS .pkg
• Windows .msi

Example manifest

manifest:
  version: 0.0

  remotes:                                                        # declare common sources in one place
  - name: github
    url-base: https://github.com/                                 # Allow git modules
    default: true                                                 # Set it as default

  - name: sourceforge
    url-base: svn://svn.code.sf.net/p/

  projects:

  - name: cpputest-git-tag
    dst: Tests/cpputest-git-tag
    url: https://github.com/cpputest/cpputest.git                 # Use external git directly
    tag: v3.4                                                     # revision can also be a tag

  - name: tortoise-svn-branch-rev
    dst: Tests/tortoise-svn-branch-rev/
    remote: sourceforge
    branch: 1.10.x
    revision: '28553'
    src: src/*
    vcs: svn
    repo-path: tortoisesvn/code

  - name: tortoise-svn-tag
    dst: Tests/tortoise-svn-tag/
    remote: sourceforge
    tag: version-1.13.1
    src: src/*.txt
    vcs: svn
    repo-path: tortoisesvn/code

  - name: cpputest-git-src
    dst: Tests/cpputest-git-src
    repo-path: cpputest/cpputest.git
    src: src

  - name: my-library
    dst: ext/my-library
    url: https://example.com/releases/my-library-1.0.tar.gz
    vcs: archive
    integrity:
      hash: sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

GitHub Action

You can use Dfetch in your GitHub Actions workflow to check your dependencies. The results will be uploaded to GitHub. Add the following to your workflow file:

jobs:
  dfetch-check:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - name: Run Dfetch Check
        uses: dfetch-org/dfetch@main
        with:
          working-directory: '.' # optional, defaults to project root