Dependency Sources

[c0rydoras]

Goal

• Allow multiple dependency_sources (packages) e.g package-a/yarn.lock, package-b/yarn.lock
• Assign maintainers per source

Implementation

• Projects have a m2m of DependencySource
• Projects do no longer have versioned_dependencies or maintainers
• DependencySource has versions which is an m2m for Version
• Maintainers now have a source field that replaces the project field

class Maintainer
    ...
    source = models.ForeignKey(
        DependencySource, on_delete=models.CASCADE, related_name="maintainers"
    )
    ...

• Due to how lockfiles are implemented we use their name and create a source from it:

class Tracker:
    # this would also be adjusted further
    ...
    def _get_lockfile(self, root, file):
        file_path = path.join(root, file)
        rel_file_path = path.relpath(file_path, self.local_path)
        with open(file_path, "r") as file_content:
            return {"name": rel_file_path, "data": file_content.read()} # e.g. {"name": "./api/poetry.lock", "data": "..."}

    @property
    def lockfiles(self):
        if not self.has_local_copy:
            raise RepoDoesNotExist(
                f"Unable to retrieve lockfiles for {self.project.repo} because it is not saved locally."
            )

        lockfile_list = []
        for root, _, files in walk(self.local_path):
            if ".git" in root:
                continue

            lockfile_list.extend([self._get_lockfile(root, file) for file in files])

        return lockfile_list
     ...

• Adjust Parser to set versions on sources instead of versioned_dependencies on the project
• Adjust views and serializers
• Adjust tests
• Write tests

Further implementation

• automatically parse codeowners and use it to assign maintainers using https://github.com/sbdchd/codeowners