Custom dependency graph format for unpublished / GitHub-only repositories

TheLartians · April 5, 2021, 8:52pm

Hey everyone!

I’ve been working on a very simple dependency manager for C++ that is able to fetch dependencies on-demand from Git repositories (and caches them to save bandwidth). We are currently exploring the possibility to auto-generate manifest files for tracking dependencies in the GitHub dependency graph. So far we’ve tried listing the dependencies in an npm-style package.json file, which seems to be recognised, however the according dependencies appear grayed out, probably as the packages aren’t published on npm.

Is there a compatible format that we can use to link to generic GitHub repositories that can be properly parsed and linked by the dependency graph?

Thanks,

Lars

ernest-phillips · July 8, 2021, 7:36am

Hi @TheLartians thanks for making your first post in the Community forum!

Your assumptions are correct here. If the package isn’t published to NPM, dependabot will not be able to make the associated connection to the proper repository. We do not have a way to get those updates to it when changes are made.

There’s no workaround for this one either, I’m afraid.

TheLartians · July 7, 2021, 10:19am

Got it, thanks for clarifying!