tools-deps

Discuss tools.deps.alpha, tools.build, and the clj/clojure command-line scripts! See also #depstar #clj-new
gphilipp 2021-03-30T14:20:17.262700Z

What is the recommended approach to override transitive dependencies, a bit like Leiningen’s :managed-dependencies? From what I’ve seen, you cannot use :override-deps at the top level alongside :deps, it has to live under an alias, which is a bit cumbersome because people now have to remember to add the alias for all clj commands. The other option is to add the override version directly to the :deps vector but I’m not fond of that because it now looks like you project depends on it directly.

borkdude 2021-03-30T14:24:10.264Z

@gphilipp I would go for the last option, because in that case you are stating the truth: your app DOES depend on that specific version to function correctly

borkdude 2021-03-30T14:24:46.264600Z

you could add a comment to it to explain why you added it

gphilipp 2021-03-30T14:27:39.267400Z

Yeah, this is what I do currently (adding an explicit comment). The other downside that I forgot to mention is that it lifts the dependency to the top of the deps tree (`clj -Stree)` and you don’t have the entry anymore under the lib that pulled that dep initially.

alexmiller 2021-03-30T14:27:54.267700Z

usually I would add an :exclusions and add the dep in :deps

👍 2
gphilipp 2021-03-30T14:30:57.270Z

I usually skip the :exclusion part due to the way tools.deps resolve dependency conflicts (usually we want the higher version). But now that I’m think of it, IIRC it doesn’t work across maven repositories or across different vendors of the same GAV, am I right?

alexmiller 2021-03-30T14:34:11.270200Z

not sure what you mean

alexmiller 2021-03-30T14:34:48.270400Z

those seem like orthogonal concerns

gphilipp 2021-03-30T15:07:12.271100Z

I’ll write down a small example to clarify.

Jason 2021-03-30T21:34:49.273Z

If one were to add keys to a deps maps like so:

{:extra-deps {thheller/shadow-cljs          {:mvn/version "2.11.22"
                                               :bazel/hash "hash goes here"} ; <= new map entry
1. would anything break, and 2. is there a way to resolve them along with the maven coordinates?

seancorfield 2021-03-30T21:43:38.274200Z

@jasonhlogic There’s a “procurer” mechanism built into tools.deps.alpha that could leverage that but it is not currently exposed as an extension point. @alexmiller might have more to say about that.

alexmiller 2021-03-30T21:45:12.275100Z

in this particular case, you're adding keys to an existing procurer coordinate and that code may not pull them along (although generally the existing code does)

alexmiller 2021-03-30T21:46:06.276100Z

if you are making your own custom procurer (some qualifier other than :mvn), it is possible to install that and have tools.deps use it and do anything you like

alexmiller 2021-03-30T21:47:30.278200Z

installing custom procurer extensions is not currently possible when using the clj CLI (no one has needed it yet) but that is possible

Jason 2021-03-30T22:07:47.291500Z

In theory, what I would like to do is let maven do the procuring as it does now, but then to get a link to the local jar and the value of the key i have added so an external tool can hash the jar and compare for its own purposes. (the external tool, surprise, is <Https://bazel.build|Bazel>). My wishcast is that some magical function would appear which 1. resolves deps 2. downloads the artifact via whatever procuring mechanism is in place 3. adds the url of the downloaded artifact to the map I added the new key to above 4. returns the new map Given that resolve-deps exists, 1 and 2 are covered, so I guess I'm asking whether there is a way to know the local url of each procured artifact per dep for reasoning purposes 🙂

seancorfield 2021-03-30T22:11:02.292800Z

The computed project basis would give you the path to the actual JAR (as well as all the rest of that data — although as Alex says I don’t think you can guarantee that your additional keys will always get passed through).

seancorfield 2021-03-30T22:11:41.293300Z

Take a look at how depstar does it: https://github.com/seancorfield/depstar/blob/develop/src/hf/depstar/uberjar.clj#L314-L333

seancorfield 2021-03-30T22:12:16.294300Z

If you play with that in the REPL, you should be able to find the data you are after and verify whether your keys survive the round-trip too.

seancorfield 2021-03-30T22:12:42.295300Z

(there’s very similar code in t.d.a itself — I just knew I could find this code faster)

alexmiller 2021-03-30T22:12:46.295500Z

there actually is an api method for answering this question

Jason 2021-03-30T22:16:01.297400Z

Fantastic. thanks very much, will investigate. Confirmed that nothing breaks when I add the extra key, so there's that.

alexmiller 2021-03-30T23:09:22.297900Z

there are no future guarantees about that - you are firmly in "undefined" land

alexmiller 2021-03-30T23:10:24.298200Z

re "I'm asking whether there is a way to know the local url of each procured artifact per dep", see https://clojure.github.io/tools.deps.alpha/clojure.tools.deps.alpha-api.html#clojure.tools.deps.alpha/lib-location

alexmiller 2021-03-30T23:12:19.299100Z

and just fyi, Maven will also download the sha1 hash of the jar if it's in the maven repo (which it will be for things in Maven central, but not necessarily for clojars or other maven repos)