Add dependency dump script for supply chain auditing by smurching · Pull Request #2 · smurching/databricks-ai-bridge

smurching · 2026-03-22T19:43:18Z

Summary

Adds scripts/dump-dependencies.py — clones (or scans a local) repo and dumps all direct and transitive dependencies to a CSV, useful for SQL-querying against newly-discovered compromised package lists.

Output schema: repo, package_name, dependency_type, dependency, version_spec, min_version

Sources parsed:

pyproject.toml → direct PyPI deps (dependency, optional:<group>, build, dev-group:<g>)
package.json → direct npm deps (dependencies, devDependencies, peerDependencies, optionalDependencies)
uv.lock → transitive-pypi (exact pinned versions for full transitive closure)
package-lock.json → transitive-npm (full resolved node_modules tree)

Usage:

# Clone and scan a remote repo
python scripts/dump-dependencies.py --repo https://github.com/org/repo

# Scan local repo
python scripts/dump-dependencies.py --repo . --out deps.csv

Test plan

python scripts/dump-dependencies.py --repo . produces a CSV with direct + transitive deps
python scripts/dump-dependencies.py --repo https://github.com/smurching/databricks-ai-bridge clones and scans successfully

🤖 Generated with Claude Code

scripts/dump-dependencies.py clones (or scans a local) repo and dumps all direct and transitive dependencies to a CSV for SQL-based auditing against newly-discovered compromised package lists. Schema: repo, package_name, dependency_type, dependency, version_spec, min_version Sources parsed: - pyproject.toml → direct PyPI deps (dependency, optional, build, dev-group) - package.json → direct npm deps (dependencies, devDependencies, peer, optional) - uv.lock → transitive-pypi (exact pinned versions) - package-lock.json → transitive-npm (full resolved node_modules tree) Usage: python scripts/dump-dependencies.py --repo https://github.com/org/repo python scripts/dump-dependencies.py --repo . --out deps.csv Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

…d tests - Move semver parsing logic to scripts/min_version.py — core use case ("do we depend on this package at all") doesn't require it in the main module - Single rglob traversal over all manifest types instead of 4 separate passes - Fix redundant min() called 3x on same list (now computed once → best) - Replace identity section_map dict with a plain list in parse_package_json - Add scripts/test_dump_dependencies.py: 45 tests covering min_version, normalize_pypi, split_pypi_dep, and all four file parsers Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

smurching and others added 4 commits March 22, 2026 12:42

Merge branch 'main' into dump-dependencies-script

57bf875

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add dependency dump script for supply chain auditing#2

Add dependency dump script for supply chain auditing#2
smurching wants to merge 4 commits intomainfrom
dump-dependencies-script

smurching commented Mar 22, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

smurching commented Mar 22, 2026

Summary

Test plan

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant