Skip to main content

Deps job pack for Tessera: audit dependency manifests for pinning, duplicates, and conflicts.

Project description

tesserakit-deps

Audit dependency manifests for pinning discipline, duplicates, and conflicts.

tessera-deps parses dependency manifests across ecosystems, classifies how tightly each dependency is pinned, and flags supply-chain hygiene issues. It reads manifests only: no installs, no lockfile resolution, no network.

Where tessera-repo lists that a manifest declares dependencies, tessera-deps analyses how they are declared.

Audit

tessera deps audit --input . --output ./out/deps_pack

Supported manifests: requirements*.txt, pyproject.toml, package.json, Cargo.toml, go.mod.

Artifacts written:

dependencies.jsonl       one Dependency per declaration (ecosystem, scope, constraint, pinning)
index.md                 the inventory table
validation_report.md     pinning + duplicate + conflict findings
coverage_report.md       counts by pinning / ecosystem / scope
duplicates.md            dependencies declared in more than one manifest

Pinning classification

  • pinned — an exact version (==1.2.3, npm 1.2.3, cargo =1.2.3, go v1.2.3)
  • ranged — a bounded range (>=, ~=, ^, ~, ...)
  • unpinned — no constraint at all, *, or latest

Findings

  • unpinned_dependency — declared with no version constraint
  • duplicate_dependency — same name declared in multiple manifests (same constraint)
  • conflicting_constraint — same name declared with different constraints across manifests
  • declared_not_locked — a manifest dependency is absent from the lockfile (the lock is stale)
  • locked_version_mismatch — a manifest pins an exact version that disagrees with the lockfile
  • lockfile_missing — npm/cargo deps are declared but no lockfile exists (builds aren't reproducible)
  • no_dependencies — nothing found

Lockfile parsing covers package-lock.json, yarn.lock, poetry.lock, and Cargo.lock.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tesserakit_deps-0.4.0.tar.gz (8.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tesserakit_deps-0.4.0-py3-none-any.whl (11.2 kB view details)

Uploaded Python 3

File details

Details for the file tesserakit_deps-0.4.0.tar.gz.

File metadata

  • Download URL: tesserakit_deps-0.4.0.tar.gz
  • Upload date:
  • Size: 8.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.11

File hashes

Hashes for tesserakit_deps-0.4.0.tar.gz
Algorithm Hash digest
SHA256 64dff8edc800bf5994b9d503b0ff8b08d330e6448f91a324c99778b90825487b
MD5 c395d54bc3dc70b7894724bd0bb4d827
BLAKE2b-256 8be6c7a4de824ff91d0e548a5dadc2fee20b4894cb961c975c182dd1eb7e6606

See more details on using hashes here.

File details

Details for the file tesserakit_deps-0.4.0-py3-none-any.whl.

File metadata

File hashes

Hashes for tesserakit_deps-0.4.0-py3-none-any.whl
Algorithm Hash digest
SHA256 c7b762783f74bf50e4719b626b0c9db53d330d82dbe6bdb65168821fb12bcaa0
MD5 2ebcddf1fa9e68d7f47bf1ed7b5176d4
BLAKE2b-256 6f220979ba1e38f71b4254626f8e7ef0d113dfd883d7fc3878173bac0804d893

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page