Dependency chains can answer the following questions: "Is this dependency direct or transitive?" and "How did I bring this dependency into my code?"
Supported ecosystems
- Java: Maven or Gradle are used depending upon your chosen toolset
- Javascript: npm and yarn are both supported
- NuGet
It is required to have a manifest and lockfile, regardless of ecosystem. If you need more information on generating lockfiles, see the compatible languages and package files article.
Tidelift alignment
With these ecosystem-native tools in place, you can use the following command to process a dependency chain:
tidelift alignment
The 'tidelift alignment' command will generate a bill of materials for a project and check its alignment with your catalog. When an alignment fails, it will give you a list of packages that are out of alignment, as well as a url to see more details.
By clicking into each see dependency chains link, you can see all of the direct dependencies that are bringing in deeper level transitive dependencies, and the chain structure.
Comments
Article is closed for comments.