You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Starting from poetry 1.5.0 ref the "category" field based on which capycli skips dev dependency is no more part of the poetry.lock file. #7637
This causes capycli to list all the dependencies, included dev ones, and in our projects to load also those into SW360.
I'm not so acquainted with poetry internals, but I guess that a solution would require reading the main dependencies from pyproject.toml file and resolving the transitive dependencies of the main dependencies from the poetry.lock, as by looking only at the lock file isn't enough to exclude dev dependencies.
The text was updated successfully, but these errors were encountered:
This is bad. I even added support for the dev flag to the CycloneDX tool.
But we have to accept their justification: at the end the lock file format is not officially documented
and they are free to change it.
We could try to use poetry show --without dev ... but this is again a proprietary format
or maybe use poetry export -f requirements.txt --output requirements.txt --without-hashes.
As far as I can see, -without dev has no effect on the requirements file.
--without dev has no effect because it's default behaviour of poetry export plugin to not include group dev dependencies (ref)
If you try poetry export -f requirements.txt --with dev -o requirements.txt --without-hashes then we'll obtain a requirements.txt with both main and dev dependencies.
So if going with export plugin is the way, I think poetry export -f requirements.txt --output requirements.txt --without-hashes is the right command
Hello,
Starting from poetry 1.5.0 ref the "category" field based on which capycli skips dev dependency is no more part of the
poetry.lock
file. #7637This causes capycli to list all the dependencies, included dev ones, and in our projects to load also those into SW360.
I'm not so acquainted with poetry internals, but I guess that a solution would require reading the main dependencies from
pyproject.toml
file and resolving the transitive dependencies of the main dependencies from thepoetry.lock
, as by looking only at the lock file isn't enough to exclude dev dependencies.The text was updated successfully, but these errors were encountered: