Trash does not resolve dependencies of my dependencies.

[shadyyx]

Imagine I have 10+ (self-maintained) libraries and 30+ (self-maintained) apps that import 1..x of these libraries and where my libraries (as well as apps) have also some 3rd-party imports.

That said results in each project containing a trash.yaml file containing the vendored dependencies.

Now imagine I am in App1 which imports Lib1 and Lib2 (and both libs have their 3rd-party dependencies) - after running trash in App1 folder, the result in App1/vendor folder is just Lib1 and Lib2 - but their dependencies (and their trash.yaml files) are ignored.

Because of this, trash is not usable for us. Is it therefore possible to fix this?

[joshwget]

I think the biggest issue with this is determining the versions of transitive dependencies. Providing a list of all transitive repos would be pretty easy, but AFAIK the only way to add versions would be to parse through the various vendor configuration files.

It's possible I'm missing something here - do other vendor management tools provide this type of functionality?

[silasdavis]

https://github.com/Masterminds/glide sort of does but it is rather stalled at the moment (or perhpas permanently) until it upgrades to https://github.com/sdboyer/gps internally.

It will follow transitive dependencies as specified by glide.yaml (or various other package management manifests) but not though specified by your dependency's glide.lock. Since glide.yaml may specify version ranges (or no version meaning master/HEAD) you don't actually end up with the versions it has been tested, built, and released with (which should be those in glide.lock), which makes it somewhat useless unless versions are pinned in your dependency's glide.yaml. I've also found that it is generally a bit update happy so that getting a dependency causes unrelated ones to be updated. I have hacked a tool using glide as a library that merges together glide lock files. It's not very general but works for some sets of dependencies.