Deps job pack for Tessera: audit dependency manifests for pinning, duplicates, and conflicts.
Project description
tesserakit-deps
Audit dependency manifests for pinning discipline, duplicates, and conflicts.
tessera-deps parses dependency manifests across ecosystems, classifies how tightly each dependency is pinned, and flags supply-chain hygiene issues. It reads manifests only: no installs, no lockfile resolution, no network.
Where tessera-repo lists that a manifest declares dependencies, tessera-deps analyses how they are declared.
Audit
tessera deps audit --input . --output ./out/deps_pack
Supported manifests: requirements*.txt, pyproject.toml, package.json, Cargo.toml, go.mod.
Artifacts written:
dependencies.jsonl one Dependency per declaration (ecosystem, scope, constraint, pinning)
index.md the inventory table
validation_report.md pinning + duplicate + conflict findings
coverage_report.md counts by pinning / ecosystem / scope
duplicates.md dependencies declared in more than one manifest
Pinning classification
- pinned — an exact version (
==1.2.3, npm1.2.3, cargo=1.2.3, gov1.2.3) - ranged — a bounded range (
>=,~=,^,~, ...) - unpinned — no constraint at all,
*, orlatest
Findings
unpinned_dependency— declared with no version constraintduplicate_dependency— same name declared in multiple manifests (same constraint)conflicting_constraint— same name declared with different constraints across manifestsdeclared_not_locked— a manifest dependency is absent from the lockfile (the lock is stale)locked_version_mismatch— a manifest pins an exact version that disagrees with the lockfilelockfile_missing— npm/cargo deps are declared but no lockfile exists (builds aren't reproducible)no_dependencies— nothing found
Lockfile parsing covers package-lock.json, yarn.lock, poetry.lock, and Cargo.lock.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tesserakit_deps-0.4.0.tar.gz.
File metadata
- Download URL: tesserakit_deps-0.4.0.tar.gz
- Upload date:
- Size: 8.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
64dff8edc800bf5994b9d503b0ff8b08d330e6448f91a324c99778b90825487b
|
|
| MD5 |
c395d54bc3dc70b7894724bd0bb4d827
|
|
| BLAKE2b-256 |
8be6c7a4de824ff91d0e548a5dadc2fee20b4894cb961c975c182dd1eb7e6606
|
File details
Details for the file tesserakit_deps-0.4.0-py3-none-any.whl.
File metadata
- Download URL: tesserakit_deps-0.4.0-py3-none-any.whl
- Upload date:
- Size: 11.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c7b762783f74bf50e4719b626b0c9db53d330d82dbe6bdb65168821fb12bcaa0
|
|
| MD5 |
2ebcddf1fa9e68d7f47bf1ed7b5176d4
|
|
| BLAKE2b-256 |
6f220979ba1e38f71b4254626f8e7ef0d113dfd883d7fc3878173bac0804d893
|