Skip to content

Treat all packages listed in requirements.txt as direct dependencies#7320

Merged
Jenson3210 merged 4 commits intomainfrom
Jenson3210/fix-python-dep-marker
Apr 8, 2026
Merged

Treat all packages listed in requirements.txt as direct dependencies#7320
Jenson3210 merged 4 commits intomainfrom
Jenson3210/fix-python-dep-marker

Conversation

@Jenson3210
Copy link
Copy Markdown
Contributor

@Jenson3210 Jenson3210 commented Apr 8, 2026
edited by moderne-meeseeks Bot
Loading

Summary

  • Fixes a bug where packages explicitly listed in requirements.txt were classified as transitive (and skipped by vulnerability fix recipes) when they also appeared as dependencies of other installed packages

  • Adds parseDeclaredPackageNames() to extract package names from the file content, and passes them to dependenciesFromResolved() so they are always treated as direct

  • The existing root-only behavior is preserved for setup.cfg/setup.py callers via the original no-arg overload

  • Fixes moderneinc/customer-requests#2157

Test plan

  • dependenciesFromResolvedExcludesTransitives — existing behavior preserved when no declared names provided
  • dependenciesFromResolvedTreatsDeclaredPackagesAsDirect — new test verifying declared packages remain direct even when they appear as transitive deps
  • parseDeclaredPackageNamesExtractsNames — new test verifying name extraction from various requirement line formats
  • All existing RequirementsTxtParserTest tests pass

@Jenson3210
Treat all packages listed in requirements.txt as direct dependencies
92658f0 
Previously, `dependenciesFromResolved()` only treated graph-root packages
(those not depended on by any other installed package) as direct. This
caused packages like `aiohttp`, `cryptography`, `Jinja2` etc. to be
classified as transitive when they were explicitly pinned in the
requirements.txt but also happened to be dependencies of other listed
packages. As a result, vulnerability fix recipes skipped upgrading them.

Now, the parser scans the requirements.txt file content and passes the
declared package names to `dependenciesFromResolved()`, ensuring every
explicitly listed package is treated as a direct dependency regardless
of the dependency graph.

Fixes moderneinc/customer-requests#2157
@Jenson3210 Jenson3210 requested a review from timtebeek April 8, 2026 18:23
@github-project-automation github-project-automation Bot moved this to In Progress in OpenRewrite Apr 8, 2026
@Jenson3210
Add test for mixed declared/undeclared transitive dependencies
8837345 
Verifies that packages listed in requirements.txt are treated as direct
while packages only present in the freeze output (true transitives) are
excluded from the dependencies list.
@Jenson3210
Remove excessive comments
3acfa2e
@github-project-automation github-project-automation Bot moved this from In Progress to Ready to Review in OpenRewrite Apr 8, 2026
@Jenson3210 Jenson3210 merged commit 80b3c86 into main Apr 8, 2026
1 check passed
@github-project-automation github-project-automation Bot moved this from Ready to Review to Done in OpenRewrite Apr 8, 2026
@Jenson3210 Jenson3210 deleted the Jenson3210/fix-python-dep-marker branch April 8, 2026 20:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@timtebeek timtebeek timtebeek approved these changes

Assignees

@Jenson3210 Jenson3210

Labels

None yet

Projects

OpenRewrite
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Jenson3210 @timtebeek