Dependency chains

Dependency chains can answer the following questions: "Is this dependency direct or transitive?" and "How did I bring this dependency into my code?"

Supported ecosystems

The Tidelift CLI leverages ecosystem specific tools to discover the source of dependencies in your project's bill of materials.
 
The following ecosystems are currently supported, with more to come soon:
  • Java: Maven or Gradle are used depending upon your chosen toolset
  • Javascript:  npm and yarn are both supported
  • NuGet

It is required to have a manifest and lockfile, regardless of ecosystem. If you need more information on generating lockfiles, see the compatible languages and package files article.

Tidelift alignment

With these ecosystem-native tools in place, you can use the following command to process a dependency chain:

tidelift alignment

The 'tidelift alignment' command will generate a bill of materials for a project and check its alignment with your catalog. When an alignment fails, it will give you a list of packages that are out of alignment, as well as a url to see more details. 

alignment.png

By clicking into each see dependency chains link, you can see all of the direct dependencies that are bringing in deeper level transitive dependencies, and the chain structure.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section