Manually tracking dependencies

[calvinhughes]

Hey 👋

Is there any particular method you've used for tracking manual sources? I understand there's the Manifest source which looks like it can be used for files in the repository; but what I'm looking to solve is those ones being loaded externally which have no such file. For example with license_finder it's possible to track hidden dependencies which are then registered in the list.

My way of doing it as a workaround is perhaps to generate a bogus manifest entry and adjust the yml so that's used or perhaps caching the files to be used in the manifest. Do you think that might be the best approach? Or might you recommend implementing a new "manual" source that could be controlled via the CLI?

Thanks!

[jonabc]

what I'm looking to solve is those ones being loaded externally which have no such file.

👋 @calvinhughes can you explain what you mean here a little more? how are the dependencies being loaded externally so that the package manage doesn't know about them?

This scenario was close to the intention of the manifest source as you've called out, however I can see how the workaround you're using can be annoying. Before proposing any feature work or solutions, I'd love to get a better idea how the dependencies are sourced and used 🙇

[calvinhughes]

@jonabc So a common case is typically in older projects without a package manager or they use something like WordPress. There it contains scripts like jQuery, Bootstrap, Intercom etc loaded using <script> tags from a CDN or other path, e.g.:

<script type="text/javascript" src="https://code.jquery.com/jquery-3.6.0.min.js"></script>

While caching the script is preferred (and definitely a good idea security-wise!) for things like jQuery or Bootstrap which are static; it's a bit more problematic for ones that are dynamic and kept updated by the service for something like Intercom or Google Tag Manager.

The main reason for wanting these recorded is mostly to have a single source of truth in one place (licensed list) to report from and to be able to generate the notice files from that easily.

Hope that example helps :)

[jonabc]

@calvinhughes ahhh got it, yeah I see the difficulty you're describing. thanks for the example!

I think the only way to make this easier would be to put in a manual dependency source like you're describing. It sounds like you have a workaround that should work in the short term so I'm assuming this would make your life easier but it's not blocking you entirely - is that correct?

[calvinhughes]

@jonabc yep, it's not blocking at the moment so I can work with that fine. I'll see if I can find some time to develop a manual source that I can try out, and submit a PR?

[jonabc]

That would be great!