How to generate lockfiles from manifests

By generating a lockfile and uploading it to the Tidelift application, you’ll be able to see both direct and transitive dependencies that exist within your dependency graph. For instructions on how to upload manifest files to Tidelift, please see our documentation

Below are instructions on how to generate lockfiles in a few common languages:


Python

First install python via homebrew (mac) or apt (linux).

brew install python3
sudo apt install python3 python3-dev python3-pip

Next, create a folder to work in, change into that directory. Copy your manifest into this folder. Create a virtual environment and source it so you don’t mess up your machine-global packages

mkdir temp-project 

cd temp-project 

cp ~/Downloads/requirements.txt ./ 

python3 -m venv env 

source env/bin/activate

You should now see (env) at the beginning of your command line, noting that you are now inside the virtual environment. Now, install Pipenv and wheel, which will let you turn the manifest into a lock file. Finally, run Pipenv to generate said lockfile.

pip3 install wheel pipenv 

pip3 install -r requirements.txt 

pipenv install

Now upload the requirements.txt and Pipfile.lock to their portal.


JavaScript / Node

First, install node and the node package manager (npm) via homebrew (mac) or apt (linux).

brew install node yarn 

sudo apt install nodejs yarn

Next, create a folder to work in, change into that directory. Copy your manifest into this folder.

mkdir temp-project 

cd temp-project 

cp ~/Downloads/package.json ./

Check to see if yarn is working correctly.

yarn --version

If Yarn is not found in your PATH, add yarn’s path to your ~/.zshrc profile:

export PATH="$HOME/.yarn/bin:$PATH"

Install the transitive dependencies and generate the yarn.lock file.

yarn install

Now upload the package.json and yarn.lock to their portal.


Ruby

First install the Ruby Environment Manager (rbenv) via homebrew (mac).

brew install rbenv

Linux takes a few more steps:

git clone https://github.com/rbenv/rbenv.git ~/.rbenv 

echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.zshrc 

echo 'eval "$(rbenv init -)"' >> ~/.bashrc 

source ~/.bashrc

Verify rbenv is working properly.

rbenv --version

Now, we can install a version of Ruby. I choose 2.6.4, but you can see them all by using rbenv install -l

rbenv install 2.6.4 

rbenv global 2.6.4 

ruby -v

Now, let’s turn off documentation generation for Gems, which will save a lot of time when installing the Gems.

echo "gem: --no-document" > ~/.gemrc

Install the bundler Gem, which is used heavily in dependency management.

gem install bundler

Next, create a folder to work in, change into that directory. Copy your manifest into this folder.

mkdir temp-project 

cd temp-project 

cp ~/Downloads/Gemfile ./

Generate the lock file with bundler.

bundle lock

Now upload the Gemfile and Gemfile.lock to their portal.


Java

First install the Java Development Kit [JDK], NOT the Runtime Environment [JRE]) via homebrew (mac) or apt (linux). Also install gradle for generating the lockfile.

brew install java gradle

Linux takes a few more steps:

sudo apt install default-jdk 

curl -s "https://get.sdkman.io" | bash 

sdk install gradle

Verify gradle and java are working properly.

java -version 

gradle -version

Next, create a folder to work in, change into that directory. Copy your manifest into this folder.

mkdir temp-project 

cd temp-project 

cp ~/Downloads/pom.xml ./

Initialize a gradle project, it should ask you “Found a Maven build. Generate a Gradle build from this? (default: yes) [yes, no]”, type “yes”.

gradle init

Generate the lock file by exporting the output of gradle dependencies.

gradle dependencies -q > gradle-dependencies-q.txt

Now upload the pom.xml and gradle-dependencies-q.txt to their portal.


GoLang

First install Go via tar (linux), the GoLang project page (mac) or via Homebrew on mac:

brew install go

Linux has a few more steps. Download a version > 1.13 from https://golang.org/dl/. Then extract and add your go project path and environment variables:

sudo tar -C /usr/local -xzf go1.13.1.linux-amd64.tar.gz 

echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.zshrc 

source ~/.zshrc

Make sure go works.

go version

Next, create a folder to work in (must be in your Go directory), change into that directory. Copy your manifest into this folder.

mkdir ~/go/src/temp-project 

cd ~/go/src/temp-project 

cp ~/Downloads/go.mod ./

You’ll have to create a simple program and save it as “main.go”:

package main 

import "fmt" 

func main() { 

	fmt.Println("Success!")

}

Now you can run the program (which will also build it):

go run main.go

Now your direct dependencies are still in “go.mod”, but you should see direct+transitive in “go.sum”.

To print out a CSV of all the deps (path, version, transitive?):

go list -m -f="{{.Path}},{{.Version}},{{.Indirect}}" -u all

Note: Go will auto-include any imported packages from “main.go” into “go.mod”. This simple program didn’t have any imports, but note that Go kept the existing packages in the “go.mod” that you saved (this is an intentional policy of Go Modules not to remove anything from “go.mod”)


Questions? Reach out to our team at support@tidelift.com!

Still need help? Contact Us Contact Us